23542300x80000000000000001045397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92B6D298F73E418BEF3E3A91982F109,SHA256=D705921C3300218BDD7F980456D9A2AD9FD8D13233FBB458FCF1AD4745A08C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:54.423{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB44EE5325C29C34120D2D17ED6363AD,SHA256=269EBA3AAB20842DD2D73251640165DC1DFA37F13F97EE2E449A416D73C34D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.720{466BC892-F242-60EB-DB7C-00000000CF01}20085836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.701{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA64E7ADBDB8F3354493C958658BEBA6,SHA256=DD7F76C4C3C6866E153822BC59AD377684B1A6130987407FF4B3795F06906C7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.518{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.039{466BC892-F241-60EB-DA7C-00000000CF01}92247896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000805669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:53.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.872{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD7DD6A01CD1B0EE31A888F5BD78562,SHA256=ED0C815DDA4E7604EDD95B85D90581BD24EB4C12BA713D1C9C1B44AE3DFB57B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:55.455{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604F0D235A07DC8094F0EF36FD39630D,SHA256=ACF5558ED4735EDFA68B8479C2F7DEBF14BC138865A57D035A27561DB376549A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.206{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.887{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5480AD9B2247E7E18D54D32AB920F9,SHA256=E9E624A0C974AF1198100CD7AA3140960D7E4F0D0C87FB2ACFA0A9D2E59314ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:56.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2DDB08813BC266A60F08E5A04F91EE,SHA256=1F78012ABD64DD6C664F8DCF7FFB8203296BD68237168F3DD87F05EBF7DF03AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.671{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:47.729{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50870-false10.0.1.12-8000- 23542300x80000000000000001045407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.223{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E94C19B74B372ACBC19E5A6312E9069,SHA256=7B9F1DA1315BC79A1B21C5E2F6BCF31F3484133290076D93FD2A45753ABD7B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:57.902{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFD19191F72CAAF9A98CE17B0F3B8E2,SHA256=ED69F3222210E20BD41FF0706C78478472C91454C4508860E64459B339C87AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:57.486{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0564954F3C9C40032E6F52A31AED1277,SHA256=0F79EC94E3C29D0F93E6A675518A24630F2EEB3199612F8971C12CB599B9C319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:58.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057F8118299D8AA0C88051F03F167BDC,SHA256=5F0948ABF79B2B0833DA52CD1884BF4ACE2B16326BD423F4A0111C0C1E7C4714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.920{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAFCFEF821DB42DFEA289202B9B2D32,SHA256=C5EE8A0BA5950F4030C93E329B4CC7BBAC8A672232BF1AE0D07D4D58FBCC0381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A08912DD30BBCEA515C329C8897F7F,SHA256=C6294CF7382A39E4F08FB12E87A5994D360171EE3A821DBAE65BD6D13084B922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:59.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FE2F5AACB088B71FD20809F0253F5F,SHA256=D10F670FB4801CDC1A4B8AEED89547048E770CCBA496D567DD77D8EC68F5BB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1BC07E5FD8A18F8F289EDA395661EA4,SHA256=AA70BC0CB8036F67BD83D1671016762B24DCF1085A7E5030F5EA82BF867967D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CBF67D2AD4D8339926B6765FF7D4FDFF,SHA256=18BA55D4C5E14B2528EFAA3F395781582CC9867D21D1A49C33C1D1BDC5156BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:50.214{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50871-false10.0.1.12-8089- 23542300x80000000000000001045421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:00.941{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BB03939B9078AA7DA729440F04064C,SHA256=5E37DB3A3994084D14935183E9C5F03A2F8398C829D253613AD60BD7FF85382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:00.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F98B8562EC3FF0EDCEF1CE987CE3BA2,SHA256=8469AB290C93D1C52250424C16E62C17A827D3C03FB9287543B49059CC598BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.153{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64247- 354300x8000000000000000805676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:59.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:01.957{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554F243D88270D19315DE6497E761E49,SHA256=C2B1CCD2E8F6575CB87B9D8B311FCC6A727725B2AAAF51C9947C7A436D633440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:01.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B634E6E2CCE025D8E08903B65BCF60,SHA256=A3787A1C69EC2103F3D78F7EBA0F5B9A887E2381D193B034EA316B92599C67A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:53.596{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50873-false10.0.1.12-8000- 354300x80000000000000001045423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.158{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-890.attackrange.local50872-false8.238.35.126-80http 354300x80000000000000001045422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.155{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55778- 23542300x80000000000000001045426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:02.957{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BD5D7596BB08C2611B2B1740256F3,SHA256=620C9A6791F7E1C4DFE66A9B225B41BAC50DCB23B3A0ED30F1CE737A34955A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:02.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7324614A8879D0A74CC53DA3F2F5E,SHA256=EF8D594A7F7B60FAB68C3BA15002976674DF0C4D0134946AEDCD0411DAF33157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:03.975{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8844D52D65A510A746BFC61D1B862716,SHA256=8F8373F364036FD59A552E50A7F191ECBFB1DB017063645873202CBE64EDFFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:03.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1197E36AD67547747566B47DDE39D3C,SHA256=66196EEC676ACD217674A7367AB170C24769F424DC39C5D30BA8FCCB137567F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:04.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165982A779DC6FE4BEBA234F80DBE516,SHA256=84D08DAD73D4237BA3A659BA2A6E29BB78C5378F4908098B520A510AD8B503BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:04.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F884B57D130FA3D98F66A2D86ECEDF,SHA256=B797843575637030C8000AD34E1B1263C834FFD13512DC87EBF86CCF8D97BF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:05.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C50792D51F70CB56B3BD200FA57410,SHA256=3123811B531BF305DFBB55413D4F36993D116E25774F91E843B232DD1A3CADB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:05.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:06.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646412085DBCC5925C653B4F81C63166,SHA256=D5BD8E8B81598A5D3BC12960E0E32E4FE2B72641C2FF8FA268C7D4C64ADD4698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.089{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.407.111828348C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:42:06.042{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.407.111828348C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001045429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504F6979523580F915836A0A9DBE7762,SHA256=77480C73A5AD5B96CBB6741C7385A537AC546319F915039507ED4A2FFC98793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:07.580{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B3FFA979A88BE4783D6929F2D41C51,SHA256=5D4567E7B1ECBA8474EB86DEFD2F4F5A2FF6D96022198692E228FE662FD1C6FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50874-false10.0.1.12-8000- 23542300x80000000000000001045435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.042{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97660B17F797A18D471A25E5A166AA69,SHA256=672CFFF18E07404C680EBA28A9441BDCC9CFE476195F7531CA091D3E1250016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:08.611{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B179557545AE417C4B7657E0D370E189,SHA256=583B590791A94A155BAB1E40C46845174D709A4A74BDF248AE8F91EEA2B79DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.503{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=94D4F9052682CFE6283A54C4E4376C06,SHA256=BA63BF21A83DF5614C9424572E4028897026840F32E0E8E64C4C4904177ACB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6A629D24517E6F2A83ACC3A5D9CC4358,SHA256=60CE43DA74477129D0FCA03CD8A1E832337851551CDF483B220182CA61A1923B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F45FDA3FD0F97B5D3C8556F513FA4895,SHA256=FBB6959C8F364BC86C786DDAC07755D33BB96BB468932B25ED3539BCD58A6D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EB5CC9BE3B286DB07B553415F47684AB,SHA256=D0FB082507B27BAFB8574C9F9D0F230DAE15350656658A7A2D7706FE3012F9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D293774C52B1A2862BBBE0DD0582517A,SHA256=436711D842EB0125C3364ECCF942287130125766C83CCF0C88C2F0A8BA20C0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C745088EC979F9F34A53DC296B2DA81A,SHA256=389EE94F5E6004414EA0D0D06F816C2573FF42612FED739B5D0078AE297847E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4C8364AE8724C6AE4E9547B6F192FA5D,SHA256=51E4EDCBB77648A343FCA6FD6A3298B04B34B6585AE4EC7EBC322676FE6E1951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0ED92001D2219449A196572B56919B56,SHA256=4B28F26BAB8D74AF9ED4F8203224D75973A6E6FB5B11E553309A396C00AF674E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A2C9298C1C5463F3E1332779B8CFB0A3,SHA256=427AE1783979DAE45176380F6F207E0E18BA1EAE1E043AFF51360150F3D3B187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0A3DCB1B0CE4B5DA13DAF653A3B18464,SHA256=2BA8FD8A43D68DCDB02E5693E3C74BF140F7978F5E69A2C2E8FF02202DB7016C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=85AC2A30DEE5697C6DB58F799D32D13D,SHA256=E67E5BEF0480F7DFEE9D1975C9F21B16633758A656A36EB8545C3CFC78216E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.057{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B5BA0F79B4FEF31CCE895E3A9C02FE,SHA256=108898A3E635FD9326F51183F19DB4F8DDCE61A390E49FB1A7036697FEBA88F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:09.658{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00512F5E03E0F6F32B422B8CC3953E9B,SHA256=0DA22B9AE002AD83CDAD36D743BA5FFE604E4D1D06FC02BE9B8266291CC0A0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:09.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CCD67913796F910BC36FD7A806DB83,SHA256=784CAFC11EEF99D9675C4E30247E359AA867BAB2F0FDCEDAB0263751E5F74C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:10.705{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1015CFB33E3FF4312B860682FFF38,SHA256=6FCF14D174BC3A6176067925833E3EC1AFA42B87274752B3FCEA27D8D1BB0D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:10.086{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D956EDBD8D8C6E1326A316421C20B821,SHA256=C8A969EA792F85CB601D9984252FE99552D0D71C5406FD19B0BC5CA6E2AFD1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:11.736{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8CFEC7CFB0ADD24317884DB0CDE04D,SHA256=E5D3AA8F41313BD3423D651559318938E5E62AE1141CB30C8B0EB62C88D6029C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:11.087{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399BD9B17C035C9FCB2E174921B1E008,SHA256=927C7FCA577E4BDB61237CD5F12CEF224F9C4B2E0B1543F10BC7A08E5D3B24BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:12.767{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F59C8F1824EC53CF1814B5D43FCE24,SHA256=487729F53711D67CD6B1BA799ABD17489040764B96B74E7F938CD3D4D47A6DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:04.661{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50875-false10.0.1.12-8000- 23542300x80000000000000001045452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:12.119{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77755F6141131CEBAD9EA855B6507DEE,SHA256=E7FAB54EFB52329BB9DD11A8D0D7726B53D0FA6927C400F0E51399758F9A74AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:10.400{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:13.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B08E9ABB97F7C0FF4603E018CEF0FB,SHA256=E6B0571FDC2429C54A7FFED30F4CA9BB069F2AD459BC0D4075340A47458DAABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A8F627E6E4213B2AC2504487F1A9784A,SHA256=6F71E27A506352C54D642832BB81AC44ACC0A12C8B7EA2D42CDF3D5F94CCF402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=513BD2C5A9C48BDF096BCEDAC76F0CF7,SHA256=E70F846539EC7A5F6F0F308A03219C4DAEDE5F22FA5C2A61FFACB6FBD1CF3DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6BE4FC5CBBEAEB5AB4831E685F910899,SHA256=AED81F78594BCB48535B420C1476B59FBCA9EF31D93B4859F3A2A3EDCA511BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2D9F7911EB8E5A7D2AC81AD88F3EC8ED,SHA256=C411800FF74B2D54FC3D5825467EF96C3BE04907DF332F2ACA05EF7741B26252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7DA8994B1E68B7F1A2F95E77BA90B236,SHA256=8903ACED0B3FCFAE7FE60E08B54B22D1E198085B9AFBDBA7FEF7526038DBC7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=98B7FC9DEFD9B08319CFE953676B6412,SHA256=F33C8C695FAFEFE00D985D4C68C4ECAFFC42172FAF00C385DB32E2ED2BE05B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A629B560B0948CFD64413383579600E,SHA256=994350B43A868F6932536EABF42832F90EC16FDC23B2DED4C066540D23F79C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=177A28C3A06E2013287FC7765111EBFA,SHA256=9922B3A9A93EC30CC39E796113275DB5149A41097AA5E7287F301287E5CACB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=365737606F4D43E19876F9D5DCC826C6,SHA256=23C7A0F154453F662BA743E9F0233FB09E67C50E964AAFF5E341F6EEE0D46EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE5309582FCBE68D975F55C2565CDB93,SHA256=8CEFC8D55A38C466AB72CFBB3A138BCA5913A992CA131518DFA83F8E847CE753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=14852CB422EE770748A1E188D5E44DF0,SHA256=712AEB9D79710021E590889D481F4C4F046735491C56569D1D7EF45A25C04A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.154{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E52C8388A092FD5D9A5F1ABEC1118,SHA256=8F13133F2551D6661377EBB3A70C57F0A622B583B3ADB3162450DB54662303B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE8B65B020127CC3C46887A41FE2CC,SHA256=E1CACCF2C247D334DDC85073B024235725380370D5DBC52C57F77F5AD4BFEDA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.685{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57129-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:14.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3058F78D001EB07DD183786178A5B24F,SHA256=4B21A55FB528AF08B8C8DF0E335892FBFA84AEA1547AA5B47EDB20C3C827F0B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:12.356{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-23361-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000805694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39708B4C01F50225A54CBA928464A82C,SHA256=E4D431FB905A8819EE79EB450B62805FED4AA730FC8268599AE220F0A0BC0F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59A5D0905F06A3C83CDF77FFA2BC5E7,SHA256=4E7EA43DFF780D547D73A1915F67AE4C96CC5B0DC1532614548291E7813BB1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:15.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8CF2B6C38F339279DF1E966B3FB528,SHA256=6BDEC82FDCE586AD0D2033CE4BEE9727718D03CFF0B05CC7A062B06D4364E989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.320{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CD5168587700352B4170704D1AD96F,SHA256=9488B4AAE8FA2670D74D01C850C44736573D97E59B2BFAB1E27A364E8F1EF613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.319{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C95318CED7F6C2FC53AFE3401453DB3,SHA256=D1E7BDF900B80EF92B4C43FC648A04C7AD2A90D20EC9594D1D31D37ABF385A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.199{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370D111ACD4F1E78F014FC163973B992,SHA256=6B3E3DFE247F5D235D128051EC0AF96FF195FC7ACCF9B1F7FA3AE7F047AE4038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:13.279{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57129-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000805699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:16.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810A49FF490C0CD6833D925DB0C56675,SHA256=94C95F555BBA55F2C7FD79FE6ABF195A80CBD6F747CDF929743D3943D1993A7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.858{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50876-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.858{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50876-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:16.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30732DEEFF1DB7539197AD887C9168,SHA256=04DEA21A65DDEC7EADC88C8B026A45EC00D781C1C5E1F383340011A5131F1505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:17.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D562C3CCF6571D0952244417AD4F4FC0,SHA256=928EF3EDA7E682CE6E38AA1848CABE653149BC1005F898FC76FCB37AF3A699BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:09.794{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50877-false10.0.1.12-8000- 23542300x80000000000000001045474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:17.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6651A899981A307023E4DC04636D1CE5,SHA256=F9BD263F2707A6F44BF7345CC4ADA29B1E46EC553E6AA4BE7951E85C322C5CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:18.872{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E7B9D2C7D4289E83FCFC205EC289E1,SHA256=C97644722AA33057418F5775D90FE186420EDA2267CC318EA9FA7C553E372394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:18.238{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADD0D9744C2B81F4F6FFB94686407F0,SHA256=0E3EE47A112E18E5BD8B50685F491DE075101D880516EB5EB66A505512DAF048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:16.364{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:18.118{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:19.888{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C977D733BDABE7C23C180746AAE4F0FD,SHA256=59200BEEF0079D3E7C7A10A24498AB26DE02F890E032216BB92354FC2650882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:19.239{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5A839D7B1F3FE07B16B13E9776DF22,SHA256=803605269EBA8C0F17328490933AC78AE890B75AE303AB664C25D26EF88F8864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0658C8AD31EADDCD3FE122D6351B32C9,SHA256=D863A62330DFFA5FC6E2AE6273E5D133E8A25BFF70139C723438996B95152568,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:12.580{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-54571-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD9A643BE4EFA8342C81F63B9616F4F,SHA256=2B099FA0EB2DC2319777163EA602FA8A0D553A316321F7E013F77AFB18641052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CD5168587700352B4170704D1AD96F,SHA256=9488B4AAE8FA2670D74D01C850C44736573D97E59B2BFAB1E27A364E8F1EF613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.253{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB58D82D096FC98FE07CA710EB60F4E4,SHA256=2FD2A497C9E02E9829C6A79F6739D5C1B6AA3807413D6B030770A1EE866CAFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.278{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:21.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C48C83EB4BE54954CDDF77C591F8CF,SHA256=A190E41644160F573051C15C0ACC3475C70D70E15CE16931F73D2C7585E0D8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:21.268{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D25031572E4E0DF125629D12E5CC82,SHA256=828791CCDCBA9CED6F8DD00FE3690A394C440589D3BE3AE210506E6220FAA33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:22.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E4EF75F946D5ABAA7B269CABFC056C,SHA256=299BB6FF39B0D390912CF4E53869529CF94578D47A501472EA7D298355CA8E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:22.498{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B2C5A949DAB8A0CF7A12F4885F3BCC1F,SHA256=A2803526A509AF88AE438F7AF2C4A88346DA8B350FC058A5D29867A91E0B5B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:22.282{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0586F821D32415A90FF6A46964B5F51,SHA256=D6BA58FDAF512E403188FEA98F030A91D1B2B8222413B3D839D5C06585B1437F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.412{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000805710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:23.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45315413DE1B814755FBE9AFDAFF656,SHA256=A6582118738CED8B8479E02C6B613E2670CF197D97D2BBD9E3ECACCA84B74EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.756{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50878-false10.0.1.12-8000- 23542300x80000000000000001045508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CA4D6104E819A88412E05BA7D8C50D9D,SHA256=61FC1B5DC4E51C242E227263DE04DBFE21CB17708DCE4D5E882F25471E124191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C29D6ED0737A3B748811F1A336531480,SHA256=A8CBF5B4372EF171380BCB10C6C890F79B8DD3BBB6E5FBBCE13E379ABF171F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=04F1483EB500F7DD5DBFCB7E81C66B30,SHA256=D4C50DF4E733C42E32CD034B5835FEF7F2B5DE98A642DA0EA4EEF030F15B49E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE5AB7E61AF0F3DE5FBB6FF4B849DEDF,SHA256=8E851FF5DF60BE84AD1F9B65BED48310082BC6D293321D694A3EF749D6A115F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=55030877845160C36324D191D140078C,SHA256=E8912AD66F83B605A72A81017E5FF3B2ABAB7EE265A12CC5068304D1C4F352D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=964C3FEC98E97ABA6FDF704D588DF532,SHA256=52753C9740F5615179FFE924AC746AE6310C0A6A24F4FA361F643A21BAFC63FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=12565593B8B39100395CED136B1C853A,SHA256=B1B4FDA69CD1608DAA622DDA8E6F607DE85459FC751334E02D5561B0C5AF117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=692BCE6277272CD8850B3A4F6AF96D31,SHA256=AFFE021C26EDD1C32AE538D1256ED9449AADAD3B32702B75AA5BA4BCA54C0D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE713F5D008133E2C57A986B3BFDC51B,SHA256=7315FDA825B39F94D09A4C3C3DF547FA26325889E2B71C82A52576DD5628062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF3093BCD820CB24E9AAC36B1CA8A81F,SHA256=2E8D846228239446FED20C7CEDE0CBF2CCAD98B1550CEAAACBF7DD9D0AD2F196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4D0FFB1CAEC8B7011519BBBF0A785BBE,SHA256=E1349C7F2B5EDDF1C1A43E816F8AC4ABF44886DA7F62160F32223CD7B88ED852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09BF2AC8B3EEA61B2E295A7990FFEE1C,SHA256=0D5FEE5D92AC7AA44120276EB8909AA80D34F3E28B8ABF4E435B919CB0FD2946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8115E1DDDC577B4525039501D885A2A5,SHA256=C9C4E3E383BF7AAA7699D396AA111F6D2E3BEC650B964979C361B0589B027142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=246BBD7D35447F27A53D7AC39A11BDE3,SHA256=E856245818F7D48949E92EF5824C103291D6277DD5AF4531087A2F7950F40AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E9A693C0C475C63677A1390620BEB866,SHA256=B1CB0280987030EC8AFFEB30CFC9EEE44E26C17C4E032F995AA24BBDD7534D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=240BB9AA5BFD2F0FF4DF287D61B3F5B2,SHA256=D3BF746D71FC600759CFC15D33C4F6FF1AD8A76E970E32428249D7775D62A11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A2E3AB6BA19DE38ECDF0BB634C4D2F6,SHA256=1CD1852FEE81A3545C852CCEC78D4C1379D1A1AF8E7C5102A915E7330DF16EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E2C7DCF0CB87DB81F61A4B5FBE6F333A,SHA256=0D0370F9CDCD478D20BF88B1BFD416138A37BD72892ABC8202C732FB79C907DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C9B3EC857B0ABFD9E75264ACB923AFA7,SHA256=B0C51B59DA5F08CDCAD7B227A9F1840C909D9F33FB01B80809EC4B2B371FEDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A5255A9AA5BB65A34C76103971F010E,SHA256=6E459AEDB557904224352426DED7743F7F36D792E7D6C6AD1F9A1C1F3BE05D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4F6C7A0A4D033B01AA9CCB838420ACAE,SHA256=590DF34EE1706829242A2BFDDA1564D393D078B1FF8617A8ABFD449A32E36FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF96051058A603AE0207DE636EC8B266,SHA256=57F57EDB02886535037E10C6D21C40B200E7DD61633DD2235A749075142C9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.297{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B6CFAD0ECF325F6A8436F957EDA816,SHA256=7F73BC224372F6702EECE5B2D6D2BE22550D663AD11390D4444C972ABEFCF818,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:22.286{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:24.318{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39589DE81FCA5EC37CE50416B63C49,SHA256=04EC0C0E9EEE4C467EC9064BA6CC23755003EE9F4E56C99CDEB2CFF4B63742B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.904{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.372{0C1E0330-F260-60EB-2D79-00000000D001}20883688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.216{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.216{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.217{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.591{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.591{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.592{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F2B168C86320EFAB6765726DA9879C,SHA256=8DA23FA57D51BDE0EF9822DF3E68F7DDE52CB1E8B744F93571A7D9DCE5931AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39708B4C01F50225A54CBA928464A82C,SHA256=E4D431FB905A8819EE79EB450B62805FED4AA730FC8268599AE220F0A0BC0F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.153{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5482F1930A126F34B5F48F4F413C93F4,SHA256=A89AB223572E20AE4930BE4C6E4CD25D60D2F3571589DAD75EF616379AD2012A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:25.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE6EEEC0E335AA996DD62EAB2F363A8,SHA256=C5E666CCF702956E538BBB30ABA9688CA43B05D83A229651DDEAB4EBA5DEDBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:26.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF1F6933CC3BF0A125E650B942FF69C,SHA256=71AF93F7681B2F9E0830E803E5512472654E471DEBF1E28E8C5DFCB4C4689D7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.951{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F2B168C86320EFAB6765726DA9879C,SHA256=8DA23FA57D51BDE0EF9822DF3E68F7DDE52CB1E8B744F93571A7D9DCE5931AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.279{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.216{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9320FF155E77DC9EB6DA7928AF4A6F,SHA256=BA21060588E57AF608CB8FC3550B46C81C7F1F91408819F0FBFAC10C2A84C712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:27.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024788F206702B1A01457F794970CA6F,SHA256=106ABEBFD3A3C2BCBB8C35E8774AAA9A9C2B4308AF35335A594D81B83317CC76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.794{0C1E0330-F263-60EB-3279-00000000D001}292640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.638{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.325{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EBC934F1C61B73178FB8C6C81AF357,SHA256=7C8549DCFF11065079D6DFEF916F97E60AC0E8BDC2A7C43FBE9B186C9B6E7BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.122{0C1E0330-F262-60EB-3179-00000000D001}33162436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:28.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EAC5C7619DA2A9444BCD9D12BD2602,SHA256=013B05B7FB13750364E1DA7587BE433DD0599F3314B463DEDE16A7E146921479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13D78B777C32821DF5949761D286235,SHA256=575E33BCE72160CB0A547A397A5E1DD0580DD297DD26D2BA233BF9E74E57FB0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.497{0C1E0330-F264-60EB-3379-00000000D001}416404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.357{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.326{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.107{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77472AA1BA26B8C7BC0C28D97CDE40C6,SHA256=A494A5A8C8E3BB25ABD73CC65AD2DFA1FACEAACCDDCE5280DD05821BC7A77C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:29.638{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E08A31266E0DC72D1251B166E6B4105,SHA256=B234B28D0154B21499A59E2ADC8D292A2E9B6241E0EFE7A08B02E0D5695CB208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:29.394{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E364F158382A6C04C3D1F30BB9B27918,SHA256=4628254D374182D19DEF03062CF846D8CE4BB6E90F4F6B4D0F3231F55258E2D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.242{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:29.372{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A42167B1ED28E7D060BCCEED1BB2D37,SHA256=5FEEDA971941CE546F980AAE85774E9D48B78D89A2633D8F2FFB6CECE6DD43A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:30.653{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9519A83D78096288710DD9A73A4A23D9,SHA256=C3E907491F127314BEEC03A0C5B9A615272331A8804E28A7A689617300E3D38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:30.431{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67365BA9416A86532007F360710596F8,SHA256=34167DD7905ADF8C67BEB10332652C5E4433E5374977812AA560B15CFE48F66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:30.044{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=829596DDDBC27ED4F24B2BFEEF61EAED,SHA256=606CC04E9FB34D0DA4FF68BF55D76FE50620BB129714C61B24C6F524D03D88BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:21.721{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50879-false10.0.1.12-8000- 23542300x8000000000000000805819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:31.685{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A0988CC333073CCE48FBC68EC9AC45,SHA256=2354EBA5085C5940C4E358CCE37B7CA377331D9F22A19D5172ADA11BBE1E5AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:31.445{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C67FF5AF8750403805B84DF90218B21,SHA256=1756651D2045306662A55356B5346A4C5A371D53F2B521A2903A5ADFD2A1DEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:32.685{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DA1D88C0B380D347DD181ECDA26352,SHA256=C5DA9ABD30F6144D3593B6525D562614B100DA9AF5665D6DBC8BA44CDACBD937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:32.460{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BB7BA575C5C1C035D597DEAB369D25,SHA256=EDE6050EC3326B9991732C5CE2C7A6B194E615F3EF9D86FB04D093A7BDE8EF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:33.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29833DA41FE7AD9F84F750425FF36EF2,SHA256=C5ED796942A6DEB12801F30D3A261BF2E7A1C72AB3CEE316BDFB6D74535D83B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:33.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95E623AC9BCA14A4610B2324AD9724F,SHA256=CC0207923E2BAAB360DECA2BBAD76308AEED0D84E4FAD08A8BA803F8288FC7DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:33.240{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:34.712{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60D9CD8EFA03DC848625BDF4672E575,SHA256=2322CE2A4C2397E1E5CF977638A5FF6DB06CF7043A5E44313C35B69232F69CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:34.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C875EFA5D3BCDE5F1B7E808F33EFD57A,SHA256=94317C31F28E059D18C892ECEC4A37A25F319A0860BE2391E6937967DC2B4C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:35.743{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9428F1DACAE839338A22C452D928FF,SHA256=165F6A0B3755675E582C2A1C6651060A629543198EE823C4D497F8BA5BE2CE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:35.526{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F785C4127BB8DFDD3DF37C15D698260D,SHA256=68466A0950CC08E3133B3955961F1834BCE0FA2B3526ABAC1639E4C33267B83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:36.768{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98AA6A3D498B79E23C28FEBB8AB83C3,SHA256=BFB61FA675B5A93BA9F236045BB631170A5528DBE4DBA617B6E33AA0974B02FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:36.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C256556DA80A205B860F3E5BFE5EA35D,SHA256=AE9BAB2012C896683C04B0A05D6FA48B92C93CF77A30911BA9EB9717363A3A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:27.747{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50880-false10.0.1.12-8000- 23542300x8000000000000000805826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:37.780{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E39FA31DD8672065FECCEDD9AE4038,SHA256=B79C1EA819FDCE4B31F674D334C342B543A949BF09847D3A868311BEBBF217A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:37.558{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047244EB6C7B8096175952781769B100,SHA256=917D94EEAE42548D8595EAE4EDD08E00C1AD59118A387E444560B284EF201402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:38.814{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE941FCD950857FBC354E2CD799FF66,SHA256=EEF46054DBBEE29688A56EF75BAEC17642937AEE64A153602F59E47D9C0D9584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:38.589{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10373EB5C3A1E4441DD1F5517E0BBEC,SHA256=EEC78772466A94CD78E4C4942B90FFE85B37BE6D3E7551813C3CBA65C1DEDCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:38.427{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5B11AAFF0C00D359A109141237949D39,SHA256=DCBAB330D956F0A9E4B8E3D5BF8697D63907D2834C335D3A2DDFD729D26F581C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:39.814{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B053D010ECA8EE8107DAA39E7FD4D111,SHA256=9B83A01A8A89D587F81667BACCDAE2DA93DDCE10C305521C5535D364944B2E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:39.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6DC2AB622804D74D420099E8E61EAE,SHA256=044C4486C615D112062DA80789FCE1C433123C5173EDB0C7F5CA9A0ADAF3FF74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:39.228{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:40.845{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E9D1919F7B2B14ACFF01E4D3A582ED,SHA256=2E65CD0D37F6DE099ACEF434EA4EB329327568ED0809696C5CF3DAACB39F5A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29E1ACA6986D3319AE63801948DA467,SHA256=82031B55A4A982E6CDD35890B0FB53A379D88ACC9136CAAD77340297795C61C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:32.482{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net28601-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000805831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:41.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FFB0740BFA5B1393AC106762DDE305,SHA256=81A573CCCDC76BD2F29EC11EC6E0258E4AFCE9B41C7DF7F86FC4EE68643393E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.686{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8EA121C409BA7BC808890B95BF32AD,SHA256=2E7471FBCEFBC165443F734C0CB5503BF5B5DE95C78CBB9F55E101C7E871DBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0F38DA28A88832B17B5700073A183A,SHA256=8041AD64BA212FA8608D97E48CA5D7A37531564920B420ED57FB9C05C142BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD9A643BE4EFA8342C81F63B9616F4F,SHA256=2B099FA0EB2DC2319777163EA602FA8A0D553A316321F7E013F77AFB18641052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:42.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6386750B26D98AD27300C426193038,SHA256=3C67A9B0AE2DB2AC6B4AB735FF2A379596A8C982B2E46C055F36607F117404FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:42.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9AB778CAD6D3E1B8C45E175E36F3BA,SHA256=8895746A75B9DF48233149EBB4F76D4A2D280DE85100A9B5AC7F177521A614FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:33.683{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50881-false10.0.1.12-8000- 23542300x8000000000000000805833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:43.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A927449DCA41E92D42364980116CC0,SHA256=A0488E43655A3BD4F78B46373A0A3D5B43145E9B83FE42F88C2688595A33583F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:43.737{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD980509A1B674865E43150F2CBCA7CB,SHA256=B1676F348FDD8FF03490085DD5D3C74B4652F650C3C58C87DBDD0AC0B8D5D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:44.939{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A3BA4E45416FF5C64FAC0642BA958,SHA256=1C95EB5BB1C2A5E8A501292AD1F3D22650D94D29EAA4D09E4E21EA60F14940B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:44.752{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F4FA09E7A5CA7B5CF9E142308132B5,SHA256=B87665074FA00B61E6C1733A93C8E517BDDDC5ACD99B19D2EEAB3CFB9AB707A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:45.954{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9E4FD47027A975781D4F18F23EB9EC,SHA256=20257230C6A42846DEF39449425536EE60784B90516357167B67E9AE89BBBE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:45.783{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E6F06343C33C9D6ABBE4E754656F50,SHA256=84787243B38FD7482E828453F1A10036A1D01D84E36CD08918200894450B4E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:46.800{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F158474B8AD3BA3F58A84C26F7F04AB0,SHA256=DB23B731FDF952502830B1D73C1C012EAF09891E6498F6A2F84C440F212DF1C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:44.337{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:47.828{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254C77D06EDCCB468435E3D330F66608,SHA256=A1B62A57C9CFFC77A5DE045735C5CC7A209976A466DE805621FD32321EF0DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:47.032{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B115BEE86B4C7956C1B39950606AB5,SHA256=48DA28841ABAF52537C04CF93986CC44F53E46AF246756638187C2D09984F198,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:39.640{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50882-false10.0.1.12-8000- 23542300x80000000000000001045583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0E6406BCED06B69AEB6C8CA463C0EBAB,SHA256=884CCC1F3FAAB666B5DAE09256AD409EE961AC8E8EB0DF4B9144DF09CFDD0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5AD4772D4BE6E9CC7CFA00B64B6CE71A,SHA256=C324FCF91D4B541EB93422BDD5FA434E39A752B6D7A93D78E70472F6D9B1EF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=23F92D6A4085DA3A049409C9EF6E6F24,SHA256=9F6D9C12BB68A8D0EE3F884519916D7F3D174C4F85BFE2BD208CE27A4D1E1D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8DC78A562E1B268958A981D0AD7EAD74,SHA256=2A960282D759EAE224A8A47ABAD7A54DF042460DF0E5AC83A793FA822615FB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=3B53A80D80584F5F16860FB04FBBB50C,SHA256=578B167D678436BE970332CB1F2B38D237BBFD6DAF46C2D565F0A457F7C00D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=630E6BAA0AB0AD54050AFA8D0A5A478C,SHA256=7E1952C7293F78C27C13E8FB5DCAFA94E9439A6A4B342BCEC4DBEF4B8B99E977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=630E6BAA0AB0AD54050AFA8D0A5A478C,SHA256=7E1952C7293F78C27C13E8FB5DCAFA94E9439A6A4B342BCEC4DBEF4B8B99E977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.870{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.838{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8B9F834041C9187460E4FAC04CD81B,SHA256=45DCEDF8646C0885AFD9F438993F8E3526A276EA9B7BDD442FE5309CACFD5A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:48.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E04BCC7C2AF8B0E35C2F3C2AD6389D7,SHA256=F02827AA2E31C437E7CBA0E592CDE86CE37BBE3FDD6A052664EC1926E45D0BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0651B0CB496569EC5EA27EA4A2E579C,SHA256=8280063A02D54619C51F0B1EA4B4FF356E88D6AD8BD2C6A9DBD4705A0CD1025F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0F38DA28A88832B17B5700073A183A,SHA256=8041AD64BA212FA8608D97E48CA5D7A37531564920B420ED57FB9C05C142BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.807{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=B291AD81803C87DF795FD2D4B46F728C,SHA256=E30C60296F8C2538DE9194FEFEFC2E7BF645804CF341ED524C52CA0A98E89484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.807{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.791{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=23F92D6A4085DA3A049409C9EF6E6F24,SHA256=9F6D9C12BB68A8D0EE3F884519916D7F3D174C4F85BFE2BD208CE27A4D1E1D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.791{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.790{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0E6406BCED06B69AEB6C8CA463C0EBAB,SHA256=884CCC1F3FAAB666B5DAE09256AD409EE961AC8E8EB0DF4B9144DF09CFDD0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.748{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:49.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B2AF42C3C29382F84D72CF27C6B54,SHA256=C7C3D990676C37C6273F7BA0F506FA7AAC3C99D8F4E44E4B894749EE5AA89034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.538{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.947{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64659- 354300x80000000000000001045600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62188- 354300x80000000000000001045599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.446{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-31405-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.022{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6CBD94D3D2878BBE7EE0E707A97C3307,SHA256=F3B68CF7458532B88D77ECF652721AE743D4E7C60A8D44D16872158E66E9D903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=B291AD81803C87DF795FD2D4B46F728C,SHA256=E30C60296F8C2538DE9194FEFEFC2E7BF645804CF341ED524C52CA0A98E89484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1D05EADF8B5987C12351E95499404B05,SHA256=1E4CD89907C8B6E7314B8D0267A44347017F93A61A13548402B10B4F5EA1FB4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.854{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.453{466BC892-F27A-60EB-DD7C-00000000CF01}48489928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.948{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\bobtcptruefalse10.0.1.14win-dc-890.attackrange.local50883-false172.217.16.138zrh04s06-in-f138.1e100.net443https 10341000x80000000000000001045611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.141{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.137{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114CA18162E242302EF105ABA432E760,SHA256=17A47E3C5C3C2BE0B0CF408F73AAE41BCD67FBBE75117E67FCCE2099D8DD8770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:50.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A14AE06FE510F71A7E76AB69B6B915,SHA256=22744DFCEF2080D9A4DB011BAC9D1EB0FEB3481927E43F5D025BDC941A56FB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.768{466BC892-F27B-60EB-DF7C-00000000CF01}77168544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.553{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.538{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977931B5A92BB01976C2CC8EFE93C2EE,SHA256=9A52C812D24742DADCB6D21BA6488BAB138D8AEB0E70E8DFC5D0F91EEB153F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0651B0CB496569EC5EA27EA4A2E579C,SHA256=8280063A02D54619C51F0B1EA4B4FF356E88D6AD8BD2C6A9DBD4705A0CD1025F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:50.259{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:51.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF7BD62D7ACBE256EC5C08433133368,SHA256=45287B1C91E2DD0C62312F2D34E0719DCFD36B6A313117551258A45DE50AB196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.906{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.552{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDF0035593C4116EF545E5A66FEA5ECB,SHA256=20B5B49367EAFBF998F94FD23A77125A6CFDE150C2DC4FB9328F54821676D972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.206{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.189{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD98C9B50EA4F93479F24949074D451,SHA256=58324A938ECED25000DC215294DCA4C57BA335A0B0C6A885057DEE00FB12EC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:52.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D04907AD989109179FB8FF57802D27,SHA256=C9C3F0E44D53323F8AEAAFF6719CA156C930194637A8CCF65AF6E41C19255546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:53.126{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE8AD42BCC212E24D6D3436D3C2CC7,SHA256=6EA087A5962A6295FC47A15CE15617F6E0D61A6F57948700FEDFAAA1A503E668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF17196F7B9DF04D411031FA2BF4EBF,SHA256=C0BF0B2A3C9E70D4B798A8DC07F7177F02E4216CC73FACDB3A884348B105334F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.838{466BC892-F27D-60EB-E27C-00000000CF01}98729860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.586{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:44.726{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50884-false10.0.1.12-8000- 23542300x80000000000000001045652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F784B568FF47AE562B5E0C97D520ECB,SHA256=63C4903789D226D31FEAF6391D369533C77BEC7546EDDC84952847A06F7246D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.105{466BC892-F27C-60EB-E17C-00000000CF01}6404396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.287{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.284{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.268{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.269{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.237{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96F3FA732FEC72B9A8490D99133E5CB,SHA256=C9EC1528FAC69EC3E6FE92A240E09B49B42F4A5EB676330082007B0F7E54F274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:54.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7AB012041B9CDD4363992534F46FA1,SHA256=0A3C235078E177A5C75FAB1866DBB9D102E0D5A8B0CABFCD35AFA04F92215541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BEE2455228E7E76FABC0E1A3E2AFB7,SHA256=C26A2F648414FCADA018328EB05251FCCEEBCA75B7571011BB11DE0A64158F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.252{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED315C1E58DB87C25F4DC53CB1A4C54,SHA256=C876E3871BCCDFF633FB2619F2C9DDF82025B7D89015DFCB4E98152954A77977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:55.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE73D609A1CB3E8F6B92337004447E5,SHA256=2308F6152AB30FCB7142BEB5C6330AC132908D9D8102FA155FAB858C69077CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:56.704{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:56.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C989DBA22E4F9927F5EFAF1CDAF4F8,SHA256=DD432B020A37F434651FD888C6E2E63A49AA938714990C1CF81B42CDC406C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:56.154{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED9A27CF889A4BDA7466230D508D047,SHA256=7ADA333081FF8846614A9BC3957DC9125FA12A8D33E366C3F605BE18B98842A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:56.224{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:57.247{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D3F6D67D30CD5B17FA7A653ED07F91,SHA256=F44BEA99DF64B510745F4837FA837D5382BF431D9A044D70FC70FA18A9915842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:57.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7743A6025505FAA614818069D0EC446B,SHA256=F96BC1DB7716C77F50525729ACAB726541C97AB5618E12774562866D15C9F1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:58.279{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030CEA7010617F15AB156A18D351E397,SHA256=3F58B1506095E3AAF9008039278F02ECDA5D9C14C155968D9FBACBF898B105A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.640{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50886-false10.0.1.12-8000- 354300x80000000000000001045680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.240{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50885-false10.0.1.12-8089- 23542300x80000000000000001045679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:58.303{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130F05EF3C23C73796334C5C64004EE6,SHA256=84D5CFABD17DCCE79B7D0D5F067681A9FF5F197655634E35A2AA500C70A97422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:58.050{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf60c9a0.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:59.334{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414A8725C811E94D6C0EF72108DB945,SHA256=B24F7983BC1A6A856943F26018691BC3AE70191D9BB4D1E2B8C324FAE843DCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:59.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5851E3E73BAB7ABD2F495656E27129,SHA256=2D8CF257FF55ECAF6D25E17C2E65586D30AE65F8CE671CBD86EC22D07D54995C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001045705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001045704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf60d3b2.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\Zcu+SuGceoMw7jEKUb5oDw==.icoMD5=88B48CE20644063F896B4773C1AC1D91,SHA256=4910F163A5CD41C4B118E08ED3499191EFBE57CB26DF84BF39E71E71254404FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\xo8k2ky3GpHiI1pLvhaG2w==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\VBMHe4znoVL+YG5UjBj2Fg==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\v5zZN0gWxQQcSlsFXkjFSw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\uH_MCOVJ9Aduvu6vCVSCpQ==.icoMD5=88B48CE20644063F896B4773C1AC1D91,SHA256=4910F163A5CD41C4B118E08ED3499191EFBE57CB26DF84BF39E71E71254404FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\u7tfzr9UnZgBN9ofDX_SlQ==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\ThM2efvLQFClAZ6o2apafw==.icoMD5=5D981C37A2B6D1A11D7FEB87FE58D74B,SHA256=B87A03C2E30B1160D0C50F9E6DD18AF4298B21957368D8020D0A70319D4E78AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\tdLM+KOjWsfBYA7G0BW+zw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\SNLa1UNHrsKGK3H8U+id+w==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\sCeT886FgjTtZBVrjDjxlQ==.icoMD5=EE7F785510FFD6C4182979149AAB3F3E,SHA256=CDF8CABCD401B895306E04017C2AFDDC2D4D5FE48810BD5E4CC652B668CC5B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\Q2sS3vx2J886sbGqfF7B2A==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.icoMD5=3179477007C6C6EF4023DFBC1FAD412E,SHA256=D1AF848123880D324A8B3D0404F40E19B195380364EFBFACF3126886234A8377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\OFVEIqzdBKeKpdOgW1or1g==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\ng2FLPaKpq7YK1yIWMPFRg==.icoMD5=5D981C37A2B6D1A11D7FEB87FE58D74B,SHA256=B87A03C2E30B1160D0C50F9E6DD18AF4298B21957368D8020D0A70319D4E78AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\MKk4smTa9mGSU6uvnGJXjw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\LlB9BoUNa4ZtudtaDQs1yA==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\IP0wnRTpLv_qsq4nlNF5zw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\GCPFYDP8YS_iRU8ht6aUMA==.icoMD5=1A25BD5A01EC04884A81344CEFFDA24C,SHA256=49633BA947E721A8EF218137A24A9874C6B49F4E374C5F304975DAE1B5EFF166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\cpEbUHld0HIDZebvGsX43A==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\11J3zf_vmVpGrlm9rvHbhg==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCD74D609E26B730E197CE83191BDC0,SHA256=EF2DD642D9B103B9D0CC9282BC72E45D55B27193D4A1F9DBAB1BB7921BE80164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:00.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C979A4BB845711763459C79955D7EF4,SHA256=05845186161895CB454BCBB2D973A47ACF2D57E54029E95DD24A048A65BC2C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:01.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13215F81CC157B2A4D8133CBD83D0FA,SHA256=FFDDA4E7D1EAED3BE6A8667ED0C6F544B749FC7E17EA91C57B03AF3E1E6462B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:01.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C79EC95600E9E2035EC3C119DFD81,SHA256=18762B5EA51B02E6147D1A76808A853EED61F7C1C7FBC8735E5F8F91DA5E3397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.603{466BC892-02B0-60E8-1600-00000000CF01}130496C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.603{466BC892-02B0-60E8-1600-00000000CF01}130496C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A65526F1D9CF9A28DA4B095A029729,SHA256=F56CD861043555B3E7C659318EB17B618159C46B358D1B29E054C5675EBD32EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:01.365{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:02.341{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD9AB2CB3B6ECE4DA5C72B572BCF32,SHA256=BB3C030E2E39804D8E638FEEF84EFEEFF1175A4C1932EE176340B4C9F204D410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:03.357{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1ABAEFFC96A68650E0EA748BDC4A66,SHA256=18CEB06B886F19FFF6002B9955E4843A0B1937668DC1FE480939862B5969C3DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.760{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50887-false10.0.1.12-8000- 23542300x80000000000000001045713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:03.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA80ACDA73F1BB5200163FF4D0C07E9,SHA256=802A1F404F17BDBED430FE98FCAE95D520B122A94A05A9389D9917B862AAA15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:04.448{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9EF820E3F469768F3F5F9B0FC51E99,SHA256=072E9D1FC614E41D5579AC3DB98D825E5132980AF13FF1D65DC94C76F205FE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:04.388{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F4911455D4780CBC61BF69A31A10EB,SHA256=6921AEDED4C677903F2D0730683F77598DA2FCD41E8E7BFB643B125C4EC5C2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:05.485{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181EFCB068DF2EE990C960BC7F25A84C,SHA256=C54B86CA0AD121A3CD6D7647DE90E7B11126353A3044CB8AA2752D884D4BC032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:05.419{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77FA90244D5E34C0CE6115DCA83FED1,SHA256=33A6CEF33903C3905E4EE78DDD00F7A6538F245D58344225E86286FDB28B7A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.549{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCEE72B1D6707A6B801A9B489F1177A,SHA256=2BCEF3EA3D26CE27A23453B119B98AA7BE49A25194AC8E60F05E7F8304E7EE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.435{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326DE68F3EB6A924DE12AACD5D4E9FD,SHA256=3D55192FFBAB5F799191D4083A4BB7E43DEE0D8688685CDA4859500E03666F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.133{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.086{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.086{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:43:06.081{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.370.54388881C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:43:06.081{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.370.54388881C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000805861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.581{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BF1CAFC86DCAEEF98A1A3A18ED0FFD,SHA256=D1C26CE5FBC669C43EB494BC7BEC2953F1ADEEDE6EF51E6D848B91EF3B82132E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.466{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238524D53B1D97BDD32CB1A074E485A7,SHA256=79691C30F01AE63CED8F1E733CD72E45268936F0D345A74F190BC2A013D109EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:08.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E809DA9EA6BCA39BC1FCD7624F629167,SHA256=E8BF3FCC5C9A1C103ED70E9A626182F39891160809A9C3A73474FA5D07E1AFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:08.497{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978DC6F8B6784C0390C85A044679A67,SHA256=E73F0415B8494775B93AB19D3AFAED75BFB9BC298A9B9C54403DA3562527554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:09.615{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E7A6930EB11D2792C91AFB4D1EE1EA,SHA256=DA42CAE428C5AA385A17AAB71066F673BF67E3D3C7D00F0F3EEC8422F7977BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:09.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F9AA072C9EE48BA09C919F8E31366,SHA256=8C387CC38AC323072CBED48F1B5185B7E8BC7AF5FBBA3E182889DED92BB66AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.302{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000805865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.185{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com63375-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001045727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:10.617{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B8FD60B6BCEFFAF17AED13BCDF50D4,SHA256=6A18DC49B1E50962E719A6DB06E63856EAF4167A873C39BD2ED4641F1438CA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:10.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B7B8D640E158B62F7265FCEF6E4345,SHA256=C49D6DE7C1BD1F709AD6EA4E0D2B396306FBEEBBFEEBDB839C78130B4FBBABE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:01.636{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50888-false10.0.1.12-8000- 23542300x80000000000000001045728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:11.632{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDE23B9D84E22FB786A16D8C26DFD7,SHA256=549B80970BF525A46AD7A5BF2C2E2C8F55C8CBE06C51D780E71DA1669A94A6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.576{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB34E3B0AF74F6CD867784F33D6BC70,SHA256=56D4346BD009447084396E1EF777B296280103CC950812D817600CF68438A907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:12.647{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B501697F5CBF24A3BBEEB99B2997AA1B,SHA256=59042F70EC4A6102DBEF9329744ECD83DE627AE3195444312093922BCD9D1742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.669{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74DB58B5B5441FA4F1013BA72D16252C,SHA256=BF711EA8112F468C361C3C213DF6FB6DA5F9CA36F52818403892FBFA2B407EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.669{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8CF747067E94A6B097C93CA19E1E5C,SHA256=6E22D24792C6B9B569991FAD5BA972BEE28234EF787AFB9A96141A02738644E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.591{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8231541C5F16D8AE9A9BF1F77466D81E,SHA256=589EFAAD2C5B832ECB1DEE6B91C256341CAE9376310FCA89E8325083AD7B7566,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:05.209{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57141-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:13.662{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4BB5530409A42C9F427EECEDB58B1,SHA256=D2DB92C2BB8BD7E61BC3E506410E223EF1FD19B43ECF7E012929D2F45B7CBDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:13.654{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B9B93FF00BCA284522C749F6707D89,SHA256=D08B04CC41A92BB78C497615E8716E413426D275AC5E2A9E0BEF2FABAED25050,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.500{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-31339-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001045733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50889-false10.0.1.12-8000- 23542300x80000000000000001045732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:14.678{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A00F87CAA22CA7ADF3814AA6DB03E78,SHA256=DD30A428C3E08A319AC9C27BBAB89065DD4B2D2FB4F56816252B3BFB29C294A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:14.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F845B4869AD6BB7B27864994FBAB57CF,SHA256=0D230F36D5CF05C79A70D04171B8B180DCE490239ABBCEEF74883807C481DA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.804{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57141-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x80000000000000001045738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.873{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50890-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.873{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50890-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.696{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72CE0834FC9F81AC8DBD20FD3DBC5F7,SHA256=581599A2889152571934E967B223E23472042B42F3299CC6C147725266424106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:15.713{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843D26EBBA7BB217FDBD996B0EEA1152,SHA256=10A592FAFACCF0A3EF6F62052714163A3441DF83EA536C664492664B8E09862A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6576C650EC8B80BCE4E848626A770FA,SHA256=CC4CF15AD9D9D60D9E13F7B16827893414849D1AB9DC89AFF3B6E2378D8A898B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EB8568DABAB187E4325E7F83A75965,SHA256=00360B33C82F6EE8807D8F69981AD0DA1159ACFA5B498C58C06CBAD97B7CCDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:13.208{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:16.715{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638FA9E2252F2F071D49AF91CB12F2B2,SHA256=3AFAA1CC63DBC2808ABBF575555853EE926F0204B74CE02510171A4696F5BCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:16.729{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA87F8B84B8062E1E2849FD040845B2,SHA256=E3A5B545EC35255401B6BBC434CA685B9F264B21D966A73AD26713B867CF934E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:17.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D1B24E206DF8190C993B4501484BE4,SHA256=2FB1C930861F2B3B4384BD460BB45E16761206D6771247648D2EC8EFB66E9F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:17.731{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FE8E8F7D53FB014B671E81A3D50638,SHA256=BC3FA678B547AFDFF32DDDBE429F6862975974AFB79039542738ABA9BB3B6912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:17.026{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74DB58B5B5441FA4F1013BA72D16252C,SHA256=BF711EA8112F468C361C3C213DF6FB6DA5F9CA36F52818403892FBFA2B407EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:18.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B73BCCD196B6DE64B84806D86DDA78,SHA256=A077B8EDD6C68C35E57D1F0B6558B2358A7A3685064875FE8F05EFF9A6EB6E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B051236AF1B7E6A73B09C5F51CF81B5C,SHA256=0FB624D3B7DEFBF01439A7BC7C95F3428BC6D7CC889794338B3672CCBD923F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.178{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:19.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1CBEC932E1768B4E9DBB712A5486DA,SHA256=CD6C77A31573FDBE53C86715DD3883A28FF3759A2B65C29172E33B587988585B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:19.778{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0C0BB7DAD10353BC99F6CC0741CC52,SHA256=F7C79F8BEF8BD6A350686863CB732EFEBE83AAB0D06F33E1D3D420583189AABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.885{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF98737AF8EE7496AE0341C7650CF6B9,SHA256=010A7A81369F105E245CB647383C2FC44AA2CEB6D903D4629A893F60518F3C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:20.778{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C4FDB005BCB137AB9638BBECF74F20,SHA256=4763C8BC04FC192333BCFCE6E986A46282D68491287A0187B38F3B8F9D2CE328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.307{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:18.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001045744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:12.653{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50891-false10.0.1.12-8000- 23542300x8000000000000000805887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:21.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB70DECB9660DD6FAB55C2F9C892C2F,SHA256=30BAEDAA4783C08CB01AD5EF5588A776A9CFD44CBB6D8AEA452B49EE4A57B8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:21.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C41EE2C625C9531DAD762B9BC61EC2,SHA256=71895BB5E813CD8A0FAE411B34EBE5CB89FAD643F29B10938F01BDEF78F24F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:22.844{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D267987A5D58FA83A6EC3C7B20474F92,SHA256=428631DE69F0DF62CA29EEDD851F37D19DC32E817187D73D0E1DC17523011340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:22.963{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5113310500A44E009F51496B7FDA595,SHA256=8653A632140F31B533723EDC4B6CCA7727CD06E54A236E6381654DB6FF7A7940,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.440{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000805890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:23.979{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CEA903A33FE7D7A4EA4AA160C1D1DA,SHA256=BF594DD0250B8313FB2B46297831FEFFDB2A1C1685D7296E2B51ECBA3C35D222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:23.913{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C2B8401F68288AD18F15BEAA68095D,SHA256=2B151289938E41137AC7FD0CF82DBF0D145DC03CCC0159C955E0DC49F035899E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:24.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64FBDFA263AE88808CB3CC421E8C668,SHA256=CF834E036EEA70907F3CCA773BA82542E2DE44F717A0700B3D1A8806DEC518ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.776{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.385{0C1E0330-F29C-60EB-3479-00000000D001}520868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.230{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:25.944{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBB617AA2DDC13B42D03DFE664CE410,SHA256=64CA713F3986D63CAA606AFECBCC85E296D7A14FBAEB28FC8049B39D0BF3F526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.651{0C1E0330-F29D-60EB-3679-00000000D001}25563908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.464{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000805921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.237{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.229{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853A9E479F94D2F15BCD545D107F415E,SHA256=807CD0B0669848ACB461DF0D61CF2EA5BD641700D31EC409056C8BA8DDB4F8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.229{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D10A039549DB5572CD996CEE013BB6A,SHA256=F0AFD45C5CA697C374081226297853BBBB81A51E14F8D00EBBB78A517AC9C972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD39E386651AFF99A05F50F2E06524,SHA256=99E951460C54D10C7E4D3F35CA4B3098BF876A6DA149E12FD8A15A00FF1B190A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:17.751{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50892-false10.0.1.12-8000- 23542300x80000000000000001045753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:26.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEBD21522E0F64414B46DCB72A330F2,SHA256=FCA390D9721FAF4EA886494A39BB1F20720D84A45FEDE169F3B0ADE65357EAB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.947{0C1E0330-F29E-60EB-3879-00000000D001}24003928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.808{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.698{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853A9E479F94D2F15BCD545D107F415E,SHA256=807CD0B0669848ACB461DF0D61CF2EA5BD641700D31EC409056C8BA8DDB4F8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.448{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EE9F5BB659AEB05FD790CA92B847BE,SHA256=8CA827F26995D4666E830934781F5575369F10D3EFAE05E29425D1189220C651,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.694{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-53243-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x8000000000000000805948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.992{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150FB7050802D0A16C59CA061A538063,SHA256=CC7D00FA3BBF31E36A03602B280817017367C875AB3BC2E4BF2841B3A91F786F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8881C08752F4786A7B5536D70F47F4AF,SHA256=0A5D2B394D24352D2F81E1576F69584C71DD761C998FD36588A4072B253DBD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149572522252F789C8A05686B78EAEF8,SHA256=09D532E82DCD3AC50CA3FC30AF4B6FB2D640C4B1DBC60EAA8B32DC8B7417899C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.666{0C1E0330-F29F-60EB-3979-00000000D001}37723708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:19.660{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.156.88.187chabka-hosting.com62841-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8C83559D34EDEE4F290BF4559D0B23,SHA256=52C207B6150F385A99C76A68862C2D412C73961F596CAC52F8A7F6F6DA6DC989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6576C650EC8B80BCE4E848626A770FA,SHA256=CC4CF15AD9D9D60D9E13F7B16827893414849D1AB9DC89AFF3B6E2378D8A898B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.495{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service