23542300x80000000000000001045397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92B6D298F73E418BEF3E3A91982F109,SHA256=D705921C3300218BDD7F980456D9A2AD9FD8D13233FBB458FCF1AD4745A08C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:54.423{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB44EE5325C29C34120D2D17ED6363AD,SHA256=269EBA3AAB20842DD2D73251640165DC1DFA37F13F97EE2E449A416D73C34D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.720{466BC892-F242-60EB-DB7C-00000000CF01}20085836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.701{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA64E7ADBDB8F3354493C958658BEBA6,SHA256=DD7F76C4C3C6866E153822BC59AD377684B1A6130987407FF4B3795F06906C7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.518{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.039{466BC892-F241-60EB-DA7C-00000000CF01}92247896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000805669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:53.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.872{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD7DD6A01CD1B0EE31A888F5BD78562,SHA256=ED0C815DDA4E7604EDD95B85D90581BD24EB4C12BA713D1C9C1B44AE3DFB57B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:55.455{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604F0D235A07DC8094F0EF36FD39630D,SHA256=ACF5558ED4735EDFA68B8479C2F7DEBF14BC138865A57D035A27561DB376549A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.206{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.887{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5480AD9B2247E7E18D54D32AB920F9,SHA256=E9E624A0C974AF1198100CD7AA3140960D7E4F0D0C87FB2ACFA0A9D2E59314ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:56.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2DDB08813BC266A60F08E5A04F91EE,SHA256=1F78012ABD64DD6C664F8DCF7FFB8203296BD68237168F3DD87F05EBF7DF03AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.671{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:47.729{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50870-false10.0.1.12-8000- 23542300x80000000000000001045407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.223{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E94C19B74B372ACBC19E5A6312E9069,SHA256=7B9F1DA1315BC79A1B21C5E2F6BCF31F3484133290076D93FD2A45753ABD7B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:57.902{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFD19191F72CAAF9A98CE17B0F3B8E2,SHA256=ED69F3222210E20BD41FF0706C78478472C91454C4508860E64459B339C87AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:57.486{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0564954F3C9C40032E6F52A31AED1277,SHA256=0F79EC94E3C29D0F93E6A675518A24630F2EEB3199612F8971C12CB599B9C319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:58.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057F8118299D8AA0C88051F03F167BDC,SHA256=5F0948ABF79B2B0833DA52CD1884BF4ACE2B16326BD423F4A0111C0C1E7C4714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.920{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAFCFEF821DB42DFEA289202B9B2D32,SHA256=C5EE8A0BA5950F4030C93E329B4CC7BBAC8A672232BF1AE0D07D4D58FBCC0381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A08912DD30BBCEA515C329C8897F7F,SHA256=C6294CF7382A39E4F08FB12E87A5994D360171EE3A821DBAE65BD6D13084B922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:59.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FE2F5AACB088B71FD20809F0253F5F,SHA256=D10F670FB4801CDC1A4B8AEED89547048E770CCBA496D567DD77D8EC68F5BB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1BC07E5FD8A18F8F289EDA395661EA4,SHA256=AA70BC0CB8036F67BD83D1671016762B24DCF1085A7E5030F5EA82BF867967D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CBF67D2AD4D8339926B6765FF7D4FDFF,SHA256=18BA55D4C5E14B2528EFAA3F395781582CC9867D21D1A49C33C1D1BDC5156BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:50.214{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50871-false10.0.1.12-8089- 23542300x80000000000000001045421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:00.941{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BB03939B9078AA7DA729440F04064C,SHA256=5E37DB3A3994084D14935183E9C5F03A2F8398C829D253613AD60BD7FF85382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:00.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F98B8562EC3FF0EDCEF1CE987CE3BA2,SHA256=8469AB290C93D1C52250424C16E62C17A827D3C03FB9287543B49059CC598BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.153{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64247- 354300x8000000000000000805676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:59.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:01.957{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554F243D88270D19315DE6497E761E49,SHA256=C2B1CCD2E8F6575CB87B9D8B311FCC6A727725B2AAAF51C9947C7A436D633440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:01.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B634E6E2CCE025D8E08903B65BCF60,SHA256=A3787A1C69EC2103F3D78F7EBA0F5B9A887E2381D193B034EA316B92599C67A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:53.596{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50873-false10.0.1.12-8000- 354300x80000000000000001045423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.158{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-890.attackrange.local50872-false8.238.35.126-80http 354300x80000000000000001045422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.155{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55778- 23542300x80000000000000001045426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:02.957{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BD5D7596BB08C2611B2B1740256F3,SHA256=620C9A6791F7E1C4DFE66A9B225B41BAC50DCB23B3A0ED30F1CE737A34955A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:02.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7324614A8879D0A74CC53DA3F2F5E,SHA256=EF8D594A7F7B60FAB68C3BA15002976674DF0C4D0134946AEDCD0411DAF33157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:03.975{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8844D52D65A510A746BFC61D1B862716,SHA256=8F8373F364036FD59A552E50A7F191ECBFB1DB017063645873202CBE64EDFFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:03.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1197E36AD67547747566B47DDE39D3C,SHA256=66196EEC676ACD217674A7367AB170C24769F424DC39C5D30BA8FCCB137567F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:04.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165982A779DC6FE4BEBA234F80DBE516,SHA256=84D08DAD73D4237BA3A659BA2A6E29BB78C5378F4908098B520A510AD8B503BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:04.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F884B57D130FA3D98F66A2D86ECEDF,SHA256=B797843575637030C8000AD34E1B1263C834FFD13512DC87EBF86CCF8D97BF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:05.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C50792D51F70CB56B3BD200FA57410,SHA256=3123811B531BF305DFBB55413D4F36993D116E25774F91E843B232DD1A3CADB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:05.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:06.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646412085DBCC5925C653B4F81C63166,SHA256=D5BD8E8B81598A5D3BC12960E0E32E4FE2B72641C2FF8FA268C7D4C64ADD4698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.089{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.407.111828348C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:42:06.042{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.407.111828348C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001045429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504F6979523580F915836A0A9DBE7762,SHA256=77480C73A5AD5B96CBB6741C7385A537AC546319F915039507ED4A2FFC98793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:07.580{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B3FFA979A88BE4783D6929F2D41C51,SHA256=5D4567E7B1ECBA8474EB86DEFD2F4F5A2FF6D96022198692E228FE662FD1C6FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50874-false10.0.1.12-8000- 23542300x80000000000000001045435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.042{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97660B17F797A18D471A25E5A166AA69,SHA256=672CFFF18E07404C680EBA28A9441BDCC9CFE476195F7531CA091D3E1250016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:08.611{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B179557545AE417C4B7657E0D370E189,SHA256=583B590791A94A155BAB1E40C46845174D709A4A74BDF248AE8F91EEA2B79DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.503{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=94D4F9052682CFE6283A54C4E4376C06,SHA256=BA63BF21A83DF5614C9424572E4028897026840F32E0E8E64C4C4904177ACB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6A629D24517E6F2A83ACC3A5D9CC4358,SHA256=60CE43DA74477129D0FCA03CD8A1E832337851551CDF483B220182CA61A1923B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F45FDA3FD0F97B5D3C8556F513FA4895,SHA256=FBB6959C8F364BC86C786DDAC07755D33BB96BB468932B25ED3539BCD58A6D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EB5CC9BE3B286DB07B553415F47684AB,SHA256=D0FB082507B27BAFB8574C9F9D0F230DAE15350656658A7A2D7706FE3012F9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D293774C52B1A2862BBBE0DD0582517A,SHA256=436711D842EB0125C3364ECCF942287130125766C83CCF0C88C2F0A8BA20C0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C745088EC979F9F34A53DC296B2DA81A,SHA256=389EE94F5E6004414EA0D0D06F816C2573FF42612FED739B5D0078AE297847E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4C8364AE8724C6AE4E9547B6F192FA5D,SHA256=51E4EDCBB77648A343FCA6FD6A3298B04B34B6585AE4EC7EBC322676FE6E1951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0ED92001D2219449A196572B56919B56,SHA256=4B28F26BAB8D74AF9ED4F8203224D75973A6E6FB5B11E553309A396C00AF674E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A2C9298C1C5463F3E1332779B8CFB0A3,SHA256=427AE1783979DAE45176380F6F207E0E18BA1EAE1E043AFF51360150F3D3B187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0A3DCB1B0CE4B5DA13DAF653A3B18464,SHA256=2BA8FD8A43D68DCDB02E5693E3C74BF140F7978F5E69A2C2E8FF02202DB7016C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=85AC2A30DEE5697C6DB58F799D32D13D,SHA256=E67E5BEF0480F7DFEE9D1975C9F21B16633758A656A36EB8545C3CFC78216E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.057{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B5BA0F79B4FEF31CCE895E3A9C02FE,SHA256=108898A3E635FD9326F51183F19DB4F8DDCE61A390E49FB1A7036697FEBA88F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:09.658{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00512F5E03E0F6F32B422B8CC3953E9B,SHA256=0DA22B9AE002AD83CDAD36D743BA5FFE604E4D1D06FC02BE9B8266291CC0A0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:09.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CCD67913796F910BC36FD7A806DB83,SHA256=784CAFC11EEF99D9675C4E30247E359AA867BAB2F0FDCEDAB0263751E5F74C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:10.705{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1015CFB33E3FF4312B860682FFF38,SHA256=6FCF14D174BC3A6176067925833E3EC1AFA42B87274752B3FCEA27D8D1BB0D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:10.086{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D956EDBD8D8C6E1326A316421C20B821,SHA256=C8A969EA792F85CB601D9984252FE99552D0D71C5406FD19B0BC5CA6E2AFD1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:11.736{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8CFEC7CFB0ADD24317884DB0CDE04D,SHA256=E5D3AA8F41313BD3423D651559318938E5E62AE1141CB30C8B0EB62C88D6029C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:11.087{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399BD9B17C035C9FCB2E174921B1E008,SHA256=927C7FCA577E4BDB61237CD5F12CEF224F9C4B2E0B1543F10BC7A08E5D3B24BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:12.767{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F59C8F1824EC53CF1814B5D43FCE24,SHA256=487729F53711D67CD6B1BA799ABD17489040764B96B74E7F938CD3D4D47A6DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:04.661{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50875-false10.0.1.12-8000- 23542300x80000000000000001045452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:12.119{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77755F6141131CEBAD9EA855B6507DEE,SHA256=E7FAB54EFB52329BB9DD11A8D0D7726B53D0FA6927C400F0E51399758F9A74AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:10.400{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:13.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B08E9ABB97F7C0FF4603E018CEF0FB,SHA256=E6B0571FDC2429C54A7FFED30F4CA9BB069F2AD459BC0D4075340A47458DAABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A8F627E6E4213B2AC2504487F1A9784A,SHA256=6F71E27A506352C54D642832BB81AC44ACC0A12C8B7EA2D42CDF3D5F94CCF402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=513BD2C5A9C48BDF096BCEDAC76F0CF7,SHA256=E70F846539EC7A5F6F0F308A03219C4DAEDE5F22FA5C2A61FFACB6FBD1CF3DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6BE4FC5CBBEAEB5AB4831E685F910899,SHA256=AED81F78594BCB48535B420C1476B59FBCA9EF31D93B4859F3A2A3EDCA511BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2D9F7911EB8E5A7D2AC81AD88F3EC8ED,SHA256=C411800FF74B2D54FC3D5825467EF96C3BE04907DF332F2ACA05EF7741B26252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7DA8994B1E68B7F1A2F95E77BA90B236,SHA256=8903ACED0B3FCFAE7FE60E08B54B22D1E198085B9AFBDBA7FEF7526038DBC7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=98B7FC9DEFD9B08319CFE953676B6412,SHA256=F33C8C695FAFEFE00D985D4C68C4ECAFFC42172FAF00C385DB32E2ED2BE05B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A629B560B0948CFD64413383579600E,SHA256=994350B43A868F6932536EABF42832F90EC16FDC23B2DED4C066540D23F79C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=177A28C3A06E2013287FC7765111EBFA,SHA256=9922B3A9A93EC30CC39E796113275DB5149A41097AA5E7287F301287E5CACB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=365737606F4D43E19876F9D5DCC826C6,SHA256=23C7A0F154453F662BA743E9F0233FB09E67C50E964AAFF5E341F6EEE0D46EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE5309582FCBE68D975F55C2565CDB93,SHA256=8CEFC8D55A38C466AB72CFBB3A138BCA5913A992CA131518DFA83F8E847CE753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=14852CB422EE770748A1E188D5E44DF0,SHA256=712AEB9D79710021E590889D481F4C4F046735491C56569D1D7EF45A25C04A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.154{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E52C8388A092FD5D9A5F1ABEC1118,SHA256=8F13133F2551D6661377EBB3A70C57F0A622B583B3ADB3162450DB54662303B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE8B65B020127CC3C46887A41FE2CC,SHA256=E1CACCF2C247D334DDC85073B024235725380370D5DBC52C57F77F5AD4BFEDA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.685{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57129-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:14.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3058F78D001EB07DD183786178A5B24F,SHA256=4B21A55FB528AF08B8C8DF0E335892FBFA84AEA1547AA5B47EDB20C3C827F0B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:12.356{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-23361-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000805694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39708B4C01F50225A54CBA928464A82C,SHA256=E4D431FB905A8819EE79EB450B62805FED4AA730FC8268599AE220F0A0BC0F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59A5D0905F06A3C83CDF77FFA2BC5E7,SHA256=4E7EA43DFF780D547D73A1915F67AE4C96CC5B0DC1532614548291E7813BB1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:15.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8CF2B6C38F339279DF1E966B3FB528,SHA256=6BDEC82FDCE586AD0D2033CE4BEE9727718D03CFF0B05CC7A062B06D4364E989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.320{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CD5168587700352B4170704D1AD96F,SHA256=9488B4AAE8FA2670D74D01C850C44736573D97E59B2BFAB1E27A364E8F1EF613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.319{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C95318CED7F6C2FC53AFE3401453DB3,SHA256=D1E7BDF900B80EF92B4C43FC648A04C7AD2A90D20EC9594D1D31D37ABF385A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.199{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370D111ACD4F1E78F014FC163973B992,SHA256=6B3E3DFE247F5D235D128051EC0AF96FF195FC7ACCF9B1F7FA3AE7F047AE4038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:13.279{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57129-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000805699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:16.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810A49FF490C0CD6833D925DB0C56675,SHA256=94C95F555BBA55F2C7FD79FE6ABF195A80CBD6F747CDF929743D3943D1993A7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.858{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50876-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.858{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50876-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:16.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30732DEEFF1DB7539197AD887C9168,SHA256=04DEA21A65DDEC7EADC88C8B026A45EC00D781C1C5E1F383340011A5131F1505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:17.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D562C3CCF6571D0952244417AD4F4FC0,SHA256=928EF3EDA7E682CE6E38AA1848CABE653149BC1005F898FC76FCB37AF3A699BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:09.794{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50877-false10.0.1.12-8000- 23542300x80000000000000001045474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:17.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6651A899981A307023E4DC04636D1CE5,SHA256=F9BD263F2707A6F44BF7345CC4ADA29B1E46EC553E6AA4BE7951E85C322C5CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:18.872{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E7B9D2C7D4289E83FCFC205EC289E1,SHA256=C97644722AA33057418F5775D90FE186420EDA2267CC318EA9FA7C553E372394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:18.238{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADD0D9744C2B81F4F6FFB94686407F0,SHA256=0E3EE47A112E18E5BD8B50685F491DE075101D880516EB5EB66A505512DAF048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:16.364{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:18.118{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:19.888{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C977D733BDABE7C23C180746AAE4F0FD,SHA256=59200BEEF0079D3E7C7A10A24498AB26DE02F890E032216BB92354FC2650882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:19.239{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5A839D7B1F3FE07B16B13E9776DF22,SHA256=803605269EBA8C0F17328490933AC78AE890B75AE303AB664C25D26EF88F8864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0658C8AD31EADDCD3FE122D6351B32C9,SHA256=D863A62330DFFA5FC6E2AE6273E5D133E8A25BFF70139C723438996B95152568,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:12.580{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-54571-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD9A643BE4EFA8342C81F63B9616F4F,SHA256=2B099FA0EB2DC2319777163EA602FA8A0D553A316321F7E013F77AFB18641052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CD5168587700352B4170704D1AD96F,SHA256=9488B4AAE8FA2670D74D01C850C44736573D97E59B2BFAB1E27A364E8F1EF613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.253{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB58D82D096FC98FE07CA710EB60F4E4,SHA256=2FD2A497C9E02E9829C6A79F6739D5C1B6AA3807413D6B030770A1EE866CAFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.278{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:21.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C48C83EB4BE54954CDDF77C591F8CF,SHA256=A190E41644160F573051C15C0ACC3475C70D70E15CE16931F73D2C7585E0D8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:21.268{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D25031572E4E0DF125629D12E5CC82,SHA256=828791CCDCBA9CED6F8DD00FE3690A394C440589D3BE3AE210506E6220FAA33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:22.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E4EF75F946D5ABAA7B269CABFC056C,SHA256=299BB6FF39B0D390912CF4E53869529CF94578D47A501472EA7D298355CA8E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:22.498{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B2C5A949DAB8A0CF7A12F4885F3BCC1F,SHA256=A2803526A509AF88AE438F7AF2C4A88346DA8B350FC058A5D29867A91E0B5B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:22.282{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0586F821D32415A90FF6A46964B5F51,SHA256=D6BA58FDAF512E403188FEA98F030A91D1B2B8222413B3D839D5C06585B1437F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.412{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000805710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:23.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45315413DE1B814755FBE9AFDAFF656,SHA256=A6582118738CED8B8479E02C6B613E2670CF197D97D2BBD9E3ECACCA84B74EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.756{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50878-false10.0.1.12-8000- 23542300x80000000000000001045508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CA4D6104E819A88412E05BA7D8C50D9D,SHA256=61FC1B5DC4E51C242E227263DE04DBFE21CB17708DCE4D5E882F25471E124191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C29D6ED0737A3B748811F1A336531480,SHA256=A8CBF5B4372EF171380BCB10C6C890F79B8DD3BBB6E5FBBCE13E379ABF171F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=04F1483EB500F7DD5DBFCB7E81C66B30,SHA256=D4C50DF4E733C42E32CD034B5835FEF7F2B5DE98A642DA0EA4EEF030F15B49E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE5AB7E61AF0F3DE5FBB6FF4B849DEDF,SHA256=8E851FF5DF60BE84AD1F9B65BED48310082BC6D293321D694A3EF749D6A115F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=55030877845160C36324D191D140078C,SHA256=E8912AD66F83B605A72A81017E5FF3B2ABAB7EE265A12CC5068304D1C4F352D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=964C3FEC98E97ABA6FDF704D588DF532,SHA256=52753C9740F5615179FFE924AC746AE6310C0A6A24F4FA361F643A21BAFC63FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=12565593B8B39100395CED136B1C853A,SHA256=B1B4FDA69CD1608DAA622DDA8E6F607DE85459FC751334E02D5561B0C5AF117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=692BCE6277272CD8850B3A4F6AF96D31,SHA256=AFFE021C26EDD1C32AE538D1256ED9449AADAD3B32702B75AA5BA4BCA54C0D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE713F5D008133E2C57A986B3BFDC51B,SHA256=7315FDA825B39F94D09A4C3C3DF547FA26325889E2B71C82A52576DD5628062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF3093BCD820CB24E9AAC36B1CA8A81F,SHA256=2E8D846228239446FED20C7CEDE0CBF2CCAD98B1550CEAAACBF7DD9D0AD2F196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4D0FFB1CAEC8B7011519BBBF0A785BBE,SHA256=E1349C7F2B5EDDF1C1A43E816F8AC4ABF44886DA7F62160F32223CD7B88ED852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09BF2AC8B3EEA61B2E295A7990FFEE1C,SHA256=0D5FEE5D92AC7AA44120276EB8909AA80D34F3E28B8ABF4E435B919CB0FD2946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8115E1DDDC577B4525039501D885A2A5,SHA256=C9C4E3E383BF7AAA7699D396AA111F6D2E3BEC650B964979C361B0589B027142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=246BBD7D35447F27A53D7AC39A11BDE3,SHA256=E856245818F7D48949E92EF5824C103291D6277DD5AF4531087A2F7950F40AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E9A693C0C475C63677A1390620BEB866,SHA256=B1CB0280987030EC8AFFEB30CFC9EEE44E26C17C4E032F995AA24BBDD7534D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=240BB9AA5BFD2F0FF4DF287D61B3F5B2,SHA256=D3BF746D71FC600759CFC15D33C4F6FF1AD8A76E970E32428249D7775D62A11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A2E3AB6BA19DE38ECDF0BB634C4D2F6,SHA256=1CD1852FEE81A3545C852CCEC78D4C1379D1A1AF8E7C5102A915E7330DF16EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E2C7DCF0CB87DB81F61A4B5FBE6F333A,SHA256=0D0370F9CDCD478D20BF88B1BFD416138A37BD72892ABC8202C732FB79C907DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C9B3EC857B0ABFD9E75264ACB923AFA7,SHA256=B0C51B59DA5F08CDCAD7B227A9F1840C909D9F33FB01B80809EC4B2B371FEDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A5255A9AA5BB65A34C76103971F010E,SHA256=6E459AEDB557904224352426DED7743F7F36D792E7D6C6AD1F9A1C1F3BE05D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4F6C7A0A4D033B01AA9CCB838420ACAE,SHA256=590DF34EE1706829242A2BFDDA1564D393D078B1FF8617A8ABFD449A32E36FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF96051058A603AE0207DE636EC8B266,SHA256=57F57EDB02886535037E10C6D21C40B200E7DD61633DD2235A749075142C9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.297{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B6CFAD0ECF325F6A8436F957EDA816,SHA256=7F73BC224372F6702EECE5B2D6D2BE22550D663AD11390D4444C972ABEFCF818,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:22.286{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:24.318{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39589DE81FCA5EC37CE50416B63C49,SHA256=04EC0C0E9EEE4C467EC9064BA6CC23755003EE9F4E56C99CDEB2CFF4B63742B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.904{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.372{0C1E0330-F260-60EB-2D79-00000000D001}20883688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.216{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.216{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.217{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.591{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.591{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.592{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F2B168C86320EFAB6765726DA9879C,SHA256=8DA23FA57D51BDE0EF9822DF3E68F7DDE52CB1E8B744F93571A7D9DCE5931AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39708B4C01F50225A54CBA928464A82C,SHA256=E4D431FB905A8819EE79EB450B62805FED4AA730FC8268599AE220F0A0BC0F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.153{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5482F1930A126F34B5F48F4F413C93F4,SHA256=A89AB223572E20AE4930BE4C6E4CD25D60D2F3571589DAD75EF616379AD2012A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:25.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE6EEEC0E335AA996DD62EAB2F363A8,SHA256=C5E666CCF702956E538BBB30ABA9688CA43B05D83A229651DDEAB4EBA5DEDBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:26.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF1F6933CC3BF0A125E650B942FF69C,SHA256=71AF93F7681B2F9E0830E803E5512472654E471DEBF1E28E8C5DFCB4C4689D7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.951{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F2B168C86320EFAB6765726DA9879C,SHA256=8DA23FA57D51BDE0EF9822DF3E68F7DDE52CB1E8B744F93571A7D9DCE5931AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.279{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.216{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9320FF155E77DC9EB6DA7928AF4A6F,SHA256=BA21060588E57AF608CB8FC3550B46C81C7F1F91408819F0FBFAC10C2A84C712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:27.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024788F206702B1A01457F794970CA6F,SHA256=106ABEBFD3A3C2BCBB8C35E8774AAA9A9C2B4308AF35335A594D81B83317CC76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.794{0C1E0330-F263-60EB-3279-00000000D001}292640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.638{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.325{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EBC934F1C61B73178FB8C6C81AF357,SHA256=7C8549DCFF11065079D6DFEF916F97E60AC0E8BDC2A7C43FBE9B186C9B6E7BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.122{0C1E0330-F262-60EB-3179-00000000D001}33162436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:28.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EAC5C7619DA2A9444BCD9D12BD2602,SHA256=013B05B7FB13750364E1DA7587BE433DD0599F3314B463DEDE16A7E146921479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13D78B777C32821DF5949761D286235,SHA256=575E33BCE72160CB0A547A397A5E1DD0580DD297DD26D2BA233BF9E74E57FB0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.497{0C1E0330-F264-60EB-3379-00000000D001}416404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.357{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.326{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.107{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77472AA1BA26B8C7BC0C28D97CDE40C6,SHA256=A494A5A8C8E3BB25ABD73CC65AD2DFA1FACEAACCDDCE5280DD05821BC7A77C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:29.638{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E08A31266E0DC72D1251B166E6B4105,SHA256=B234B28D0154B21499A59E2ADC8D292A2E9B6241E0EFE7A08B02E0D5695CB208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:29.394{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E364F158382A6C04C3D1F30BB9B27918,SHA256=4628254D374182D19DEF03062CF846D8CE4BB6E90F4F6B4D0F3231F55258E2D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.242{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:29.372{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A42167B1ED28E7D060BCCEED1BB2D37,SHA256=5FEEDA971941CE546F980AAE85774E9D48B78D89A2633D8F2FFB6CECE6DD43A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:30.653{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9519A83D78096288710DD9A73A4A23D9,SHA256=C3E907491F127314BEEC03A0C5B9A615272331A8804E28A7A689617300E3D38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:30.431{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67365BA9416A86532007F360710596F8,SHA256=34167DD7905ADF8C67BEB10332652C5E4433E5374977812AA560B15CFE48F66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:30.044{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=829596DDDBC27ED4F24B2BFEEF61EAED,SHA256=606CC04E9FB34D0DA4FF68BF55D76FE50620BB129714C61B24C6F524D03D88BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:21.721{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50879-false10.0.1.12-8000- 23542300x8000000000000000805819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:31.685{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A0988CC333073CCE48FBC68EC9AC45,SHA256=2354EBA5085C5940C4E358CCE37B7CA377331D9F22A19D5172ADA11BBE1E5AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:31.445{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C67FF5AF8750403805B84DF90218B21,SHA256=1756651D2045306662A55356B5346A4C5A371D53F2B521A2903A5ADFD2A1DEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:32.685{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DA1D88C0B380D347DD181ECDA26352,SHA256=C5DA9ABD30F6144D3593B6525D562614B100DA9AF5665D6DBC8BA44CDACBD937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:32.460{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BB7BA575C5C1C035D597DEAB369D25,SHA256=EDE6050EC3326B9991732C5CE2C7A6B194E615F3EF9D86FB04D093A7BDE8EF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:33.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29833DA41FE7AD9F84F750425FF36EF2,SHA256=C5ED796942A6DEB12801F30D3A261BF2E7A1C72AB3CEE316BDFB6D74535D83B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:33.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95E623AC9BCA14A4610B2324AD9724F,SHA256=CC0207923E2BAAB360DECA2BBAD76308AEED0D84E4FAD08A8BA803F8288FC7DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:33.240{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:34.712{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60D9CD8EFA03DC848625BDF4672E575,SHA256=2322CE2A4C2397E1E5CF977638A5FF6DB06CF7043A5E44313C35B69232F69CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:34.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C875EFA5D3BCDE5F1B7E808F33EFD57A,SHA256=94317C31F28E059D18C892ECEC4A37A25F319A0860BE2391E6937967DC2B4C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:35.743{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9428F1DACAE839338A22C452D928FF,SHA256=165F6A0B3755675E582C2A1C6651060A629543198EE823C4D497F8BA5BE2CE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:35.526{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F785C4127BB8DFDD3DF37C15D698260D,SHA256=68466A0950CC08E3133B3955961F1834BCE0FA2B3526ABAC1639E4C33267B83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:36.768{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98AA6A3D498B79E23C28FEBB8AB83C3,SHA256=BFB61FA675B5A93BA9F236045BB631170A5528DBE4DBA617B6E33AA0974B02FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:36.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C256556DA80A205B860F3E5BFE5EA35D,SHA256=AE9BAB2012C896683C04B0A05D6FA48B92C93CF77A30911BA9EB9717363A3A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:27.747{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50880-false10.0.1.12-8000- 23542300x8000000000000000805826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:37.780{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E39FA31DD8672065FECCEDD9AE4038,SHA256=B79C1EA819FDCE4B31F674D334C342B543A949BF09847D3A868311BEBBF217A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:37.558{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047244EB6C7B8096175952781769B100,SHA256=917D94EEAE42548D8595EAE4EDD08E00C1AD59118A387E444560B284EF201402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:38.814{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE941FCD950857FBC354E2CD799FF66,SHA256=EEF46054DBBEE29688A56EF75BAEC17642937AEE64A153602F59E47D9C0D9584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:38.589{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10373EB5C3A1E4441DD1F5517E0BBEC,SHA256=EEC78772466A94CD78E4C4942B90FFE85B37BE6D3E7551813C3CBA65C1DEDCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:38.427{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5B11AAFF0C00D359A109141237949D39,SHA256=DCBAB330D956F0A9E4B8E3D5BF8697D63907D2834C335D3A2DDFD729D26F581C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:39.814{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B053D010ECA8EE8107DAA39E7FD4D111,SHA256=9B83A01A8A89D587F81667BACCDAE2DA93DDCE10C305521C5535D364944B2E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:39.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6DC2AB622804D74D420099E8E61EAE,SHA256=044C4486C615D112062DA80789FCE1C433123C5173EDB0C7F5CA9A0ADAF3FF74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:39.228{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:40.845{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E9D1919F7B2B14ACFF01E4D3A582ED,SHA256=2E65CD0D37F6DE099ACEF434EA4EB329327568ED0809696C5CF3DAACB39F5A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29E1ACA6986D3319AE63801948DA467,SHA256=82031B55A4A982E6CDD35890B0FB53A379D88ACC9136CAAD77340297795C61C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:32.482{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net28601-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000805831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:41.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FFB0740BFA5B1393AC106762DDE305,SHA256=81A573CCCDC76BD2F29EC11EC6E0258E4AFCE9B41C7DF7F86FC4EE68643393E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.686{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8EA121C409BA7BC808890B95BF32AD,SHA256=2E7471FBCEFBC165443F734C0CB5503BF5B5DE95C78CBB9F55E101C7E871DBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0F38DA28A88832B17B5700073A183A,SHA256=8041AD64BA212FA8608D97E48CA5D7A37531564920B420ED57FB9C05C142BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD9A643BE4EFA8342C81F63B9616F4F,SHA256=2B099FA0EB2DC2319777163EA602FA8A0D553A316321F7E013F77AFB18641052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:42.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6386750B26D98AD27300C426193038,SHA256=3C67A9B0AE2DB2AC6B4AB735FF2A379596A8C982B2E46C055F36607F117404FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:42.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9AB778CAD6D3E1B8C45E175E36F3BA,SHA256=8895746A75B9DF48233149EBB4F76D4A2D280DE85100A9B5AC7F177521A614FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:33.683{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50881-false10.0.1.12-8000- 23542300x8000000000000000805833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:43.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A927449DCA41E92D42364980116CC0,SHA256=A0488E43655A3BD4F78B46373A0A3D5B43145E9B83FE42F88C2688595A33583F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:43.737{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD980509A1B674865E43150F2CBCA7CB,SHA256=B1676F348FDD8FF03490085DD5D3C74B4652F650C3C58C87DBDD0AC0B8D5D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:44.939{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A3BA4E45416FF5C64FAC0642BA958,SHA256=1C95EB5BB1C2A5E8A501292AD1F3D22650D94D29EAA4D09E4E21EA60F14940B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:44.752{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F4FA09E7A5CA7B5CF9E142308132B5,SHA256=B87665074FA00B61E6C1733A93C8E517BDDDC5ACD99B19D2EEAB3CFB9AB707A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:45.954{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9E4FD47027A975781D4F18F23EB9EC,SHA256=20257230C6A42846DEF39449425536EE60784B90516357167B67E9AE89BBBE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:45.783{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E6F06343C33C9D6ABBE4E754656F50,SHA256=84787243B38FD7482E828453F1A10036A1D01D84E36CD08918200894450B4E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:46.800{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F158474B8AD3BA3F58A84C26F7F04AB0,SHA256=DB23B731FDF952502830B1D73C1C012EAF09891E6498F6A2F84C440F212DF1C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:44.337{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:47.828{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254C77D06EDCCB468435E3D330F66608,SHA256=A1B62A57C9CFFC77A5DE045735C5CC7A209976A466DE805621FD32321EF0DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:47.032{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B115BEE86B4C7956C1B39950606AB5,SHA256=48DA28841ABAF52537C04CF93986CC44F53E46AF246756638187C2D09984F198,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:39.640{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50882-false10.0.1.12-8000- 23542300x80000000000000001045583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0E6406BCED06B69AEB6C8CA463C0EBAB,SHA256=884CCC1F3FAAB666B5DAE09256AD409EE961AC8E8EB0DF4B9144DF09CFDD0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5AD4772D4BE6E9CC7CFA00B64B6CE71A,SHA256=C324FCF91D4B541EB93422BDD5FA434E39A752B6D7A93D78E70472F6D9B1EF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=23F92D6A4085DA3A049409C9EF6E6F24,SHA256=9F6D9C12BB68A8D0EE3F884519916D7F3D174C4F85BFE2BD208CE27A4D1E1D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8DC78A562E1B268958A981D0AD7EAD74,SHA256=2A960282D759EAE224A8A47ABAD7A54DF042460DF0E5AC83A793FA822615FB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=3B53A80D80584F5F16860FB04FBBB50C,SHA256=578B167D678436BE970332CB1F2B38D237BBFD6DAF46C2D565F0A457F7C00D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=630E6BAA0AB0AD54050AFA8D0A5A478C,SHA256=7E1952C7293F78C27C13E8FB5DCAFA94E9439A6A4B342BCEC4DBEF4B8B99E977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=630E6BAA0AB0AD54050AFA8D0A5A478C,SHA256=7E1952C7293F78C27C13E8FB5DCAFA94E9439A6A4B342BCEC4DBEF4B8B99E977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.870{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.838{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8B9F834041C9187460E4FAC04CD81B,SHA256=45DCEDF8646C0885AFD9F438993F8E3526A276EA9B7BDD442FE5309CACFD5A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:48.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E04BCC7C2AF8B0E35C2F3C2AD6389D7,SHA256=F02827AA2E31C437E7CBA0E592CDE86CE37BBE3FDD6A052664EC1926E45D0BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0651B0CB496569EC5EA27EA4A2E579C,SHA256=8280063A02D54619C51F0B1EA4B4FF356E88D6AD8BD2C6A9DBD4705A0CD1025F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0F38DA28A88832B17B5700073A183A,SHA256=8041AD64BA212FA8608D97E48CA5D7A37531564920B420ED57FB9C05C142BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.807{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=B291AD81803C87DF795FD2D4B46F728C,SHA256=E30C60296F8C2538DE9194FEFEFC2E7BF645804CF341ED524C52CA0A98E89484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.807{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.791{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=23F92D6A4085DA3A049409C9EF6E6F24,SHA256=9F6D9C12BB68A8D0EE3F884519916D7F3D174C4F85BFE2BD208CE27A4D1E1D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.791{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.790{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0E6406BCED06B69AEB6C8CA463C0EBAB,SHA256=884CCC1F3FAAB666B5DAE09256AD409EE961AC8E8EB0DF4B9144DF09CFDD0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.748{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:49.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B2AF42C3C29382F84D72CF27C6B54,SHA256=C7C3D990676C37C6273F7BA0F506FA7AAC3C99D8F4E44E4B894749EE5AA89034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.538{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.947{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64659- 354300x80000000000000001045600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62188- 354300x80000000000000001045599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.446{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-31405-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.022{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6CBD94D3D2878BBE7EE0E707A97C3307,SHA256=F3B68CF7458532B88D77ECF652721AE743D4E7C60A8D44D16872158E66E9D903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=B291AD81803C87DF795FD2D4B46F728C,SHA256=E30C60296F8C2538DE9194FEFEFC2E7BF645804CF341ED524C52CA0A98E89484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1D05EADF8B5987C12351E95499404B05,SHA256=1E4CD89907C8B6E7314B8D0267A44347017F93A61A13548402B10B4F5EA1FB4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.854{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.453{466BC892-F27A-60EB-DD7C-00000000CF01}48489928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.948{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\bobtcptruefalse10.0.1.14win-dc-890.attackrange.local50883-false172.217.16.138zrh04s06-in-f138.1e100.net443https 10341000x80000000000000001045611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.141{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.137{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114CA18162E242302EF105ABA432E760,SHA256=17A47E3C5C3C2BE0B0CF408F73AAE41BCD67FBBE75117E67FCCE2099D8DD8770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:50.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A14AE06FE510F71A7E76AB69B6B915,SHA256=22744DFCEF2080D9A4DB011BAC9D1EB0FEB3481927E43F5D025BDC941A56FB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.768{466BC892-F27B-60EB-DF7C-00000000CF01}77168544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.553{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.538{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977931B5A92BB01976C2CC8EFE93C2EE,SHA256=9A52C812D24742DADCB6D21BA6488BAB138D8AEB0E70E8DFC5D0F91EEB153F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0651B0CB496569EC5EA27EA4A2E579C,SHA256=8280063A02D54619C51F0B1EA4B4FF356E88D6AD8BD2C6A9DBD4705A0CD1025F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:50.259{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:51.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF7BD62D7ACBE256EC5C08433133368,SHA256=45287B1C91E2DD0C62312F2D34E0719DCFD36B6A313117551258A45DE50AB196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.906{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.552{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDF0035593C4116EF545E5A66FEA5ECB,SHA256=20B5B49367EAFBF998F94FD23A77125A6CFDE150C2DC4FB9328F54821676D972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.206{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.189{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD98C9B50EA4F93479F24949074D451,SHA256=58324A938ECED25000DC215294DCA4C57BA335A0B0C6A885057DEE00FB12EC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:52.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D04907AD989109179FB8FF57802D27,SHA256=C9C3F0E44D53323F8AEAAFF6719CA156C930194637A8CCF65AF6E41C19255546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:53.126{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE8AD42BCC212E24D6D3436D3C2CC7,SHA256=6EA087A5962A6295FC47A15CE15617F6E0D61A6F57948700FEDFAAA1A503E668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF17196F7B9DF04D411031FA2BF4EBF,SHA256=C0BF0B2A3C9E70D4B798A8DC07F7177F02E4216CC73FACDB3A884348B105334F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.838{466BC892-F27D-60EB-E27C-00000000CF01}98729860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.586{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:44.726{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50884-false10.0.1.12-8000- 23542300x80000000000000001045652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F784B568FF47AE562B5E0C97D520ECB,SHA256=63C4903789D226D31FEAF6391D369533C77BEC7546EDDC84952847A06F7246D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.105{466BC892-F27C-60EB-E17C-00000000CF01}6404396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.287{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.284{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.268{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.269{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.237{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96F3FA732FEC72B9A8490D99133E5CB,SHA256=C9EC1528FAC69EC3E6FE92A240E09B49B42F4A5EB676330082007B0F7E54F274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:54.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7AB012041B9CDD4363992534F46FA1,SHA256=0A3C235078E177A5C75FAB1866DBB9D102E0D5A8B0CABFCD35AFA04F92215541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BEE2455228E7E76FABC0E1A3E2AFB7,SHA256=C26A2F648414FCADA018328EB05251FCCEEBCA75B7571011BB11DE0A64158F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.252{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED315C1E58DB87C25F4DC53CB1A4C54,SHA256=C876E3871BCCDFF633FB2619F2C9DDF82025B7D89015DFCB4E98152954A77977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:55.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE73D609A1CB3E8F6B92337004447E5,SHA256=2308F6152AB30FCB7142BEB5C6330AC132908D9D8102FA155FAB858C69077CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:56.704{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:56.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C989DBA22E4F9927F5EFAF1CDAF4F8,SHA256=DD432B020A37F434651FD888C6E2E63A49AA938714990C1CF81B42CDC406C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:56.154{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED9A27CF889A4BDA7466230D508D047,SHA256=7ADA333081FF8846614A9BC3957DC9125FA12A8D33E366C3F605BE18B98842A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:56.224{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:57.247{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D3F6D67D30CD5B17FA7A653ED07F91,SHA256=F44BEA99DF64B510745F4837FA837D5382BF431D9A044D70FC70FA18A9915842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:57.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7743A6025505FAA614818069D0EC446B,SHA256=F96BC1DB7716C77F50525729ACAB726541C97AB5618E12774562866D15C9F1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:58.279{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030CEA7010617F15AB156A18D351E397,SHA256=3F58B1506095E3AAF9008039278F02ECDA5D9C14C155968D9FBACBF898B105A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.640{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50886-false10.0.1.12-8000- 354300x80000000000000001045680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.240{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50885-false10.0.1.12-8089- 23542300x80000000000000001045679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:58.303{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130F05EF3C23C73796334C5C64004EE6,SHA256=84D5CFABD17DCCE79B7D0D5F067681A9FF5F197655634E35A2AA500C70A97422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:58.050{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf60c9a0.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:59.334{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414A8725C811E94D6C0EF72108DB945,SHA256=B24F7983BC1A6A856943F26018691BC3AE70191D9BB4D1E2B8C324FAE843DCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:59.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5851E3E73BAB7ABD2F495656E27129,SHA256=2D8CF257FF55ECAF6D25E17C2E65586D30AE65F8CE671CBD86EC22D07D54995C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001045705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001045704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf60d3b2.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\Zcu+SuGceoMw7jEKUb5oDw==.icoMD5=88B48CE20644063F896B4773C1AC1D91,SHA256=4910F163A5CD41C4B118E08ED3499191EFBE57CB26DF84BF39E71E71254404FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\xo8k2ky3GpHiI1pLvhaG2w==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\VBMHe4znoVL+YG5UjBj2Fg==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\v5zZN0gWxQQcSlsFXkjFSw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\uH_MCOVJ9Aduvu6vCVSCpQ==.icoMD5=88B48CE20644063F896B4773C1AC1D91,SHA256=4910F163A5CD41C4B118E08ED3499191EFBE57CB26DF84BF39E71E71254404FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\u7tfzr9UnZgBN9ofDX_SlQ==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\ThM2efvLQFClAZ6o2apafw==.icoMD5=5D981C37A2B6D1A11D7FEB87FE58D74B,SHA256=B87A03C2E30B1160D0C50F9E6DD18AF4298B21957368D8020D0A70319D4E78AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\tdLM+KOjWsfBYA7G0BW+zw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\SNLa1UNHrsKGK3H8U+id+w==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\sCeT886FgjTtZBVrjDjxlQ==.icoMD5=EE7F785510FFD6C4182979149AAB3F3E,SHA256=CDF8CABCD401B895306E04017C2AFDDC2D4D5FE48810BD5E4CC652B668CC5B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\Q2sS3vx2J886sbGqfF7B2A==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.icoMD5=3179477007C6C6EF4023DFBC1FAD412E,SHA256=D1AF848123880D324A8B3D0404F40E19B195380364EFBFACF3126886234A8377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\OFVEIqzdBKeKpdOgW1or1g==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\ng2FLPaKpq7YK1yIWMPFRg==.icoMD5=5D981C37A2B6D1A11D7FEB87FE58D74B,SHA256=B87A03C2E30B1160D0C50F9E6DD18AF4298B21957368D8020D0A70319D4E78AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\MKk4smTa9mGSU6uvnGJXjw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\LlB9BoUNa4ZtudtaDQs1yA==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\IP0wnRTpLv_qsq4nlNF5zw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\GCPFYDP8YS_iRU8ht6aUMA==.icoMD5=1A25BD5A01EC04884A81344CEFFDA24C,SHA256=49633BA947E721A8EF218137A24A9874C6B49F4E374C5F304975DAE1B5EFF166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\cpEbUHld0HIDZebvGsX43A==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\11J3zf_vmVpGrlm9rvHbhg==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCD74D609E26B730E197CE83191BDC0,SHA256=EF2DD642D9B103B9D0CC9282BC72E45D55B27193D4A1F9DBAB1BB7921BE80164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:00.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C979A4BB845711763459C79955D7EF4,SHA256=05845186161895CB454BCBB2D973A47ACF2D57E54029E95DD24A048A65BC2C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:01.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13215F81CC157B2A4D8133CBD83D0FA,SHA256=FFDDA4E7D1EAED3BE6A8667ED0C6F544B749FC7E17EA91C57B03AF3E1E6462B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:01.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C79EC95600E9E2035EC3C119DFD81,SHA256=18762B5EA51B02E6147D1A76808A853EED61F7C1C7FBC8735E5F8F91DA5E3397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.603{466BC892-02B0-60E8-1600-00000000CF01}130496C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.603{466BC892-02B0-60E8-1600-00000000CF01}130496C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A65526F1D9CF9A28DA4B095A029729,SHA256=F56CD861043555B3E7C659318EB17B618159C46B358D1B29E054C5675EBD32EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:01.365{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:02.341{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD9AB2CB3B6ECE4DA5C72B572BCF32,SHA256=BB3C030E2E39804D8E638FEEF84EFEEFF1175A4C1932EE176340B4C9F204D410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:03.357{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1ABAEFFC96A68650E0EA748BDC4A66,SHA256=18CEB06B886F19FFF6002B9955E4843A0B1937668DC1FE480939862B5969C3DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.760{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50887-false10.0.1.12-8000- 23542300x80000000000000001045713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:03.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA80ACDA73F1BB5200163FF4D0C07E9,SHA256=802A1F404F17BDBED430FE98FCAE95D520B122A94A05A9389D9917B862AAA15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:04.448{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9EF820E3F469768F3F5F9B0FC51E99,SHA256=072E9D1FC614E41D5579AC3DB98D825E5132980AF13FF1D65DC94C76F205FE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:04.388{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F4911455D4780CBC61BF69A31A10EB,SHA256=6921AEDED4C677903F2D0730683F77598DA2FCD41E8E7BFB643B125C4EC5C2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:05.485{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181EFCB068DF2EE990C960BC7F25A84C,SHA256=C54B86CA0AD121A3CD6D7647DE90E7B11126353A3044CB8AA2752D884D4BC032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:05.419{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77FA90244D5E34C0CE6115DCA83FED1,SHA256=33A6CEF33903C3905E4EE78DDD00F7A6538F245D58344225E86286FDB28B7A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.549{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCEE72B1D6707A6B801A9B489F1177A,SHA256=2BCEF3EA3D26CE27A23453B119B98AA7BE49A25194AC8E60F05E7F8304E7EE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.435{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326DE68F3EB6A924DE12AACD5D4E9FD,SHA256=3D55192FFBAB5F799191D4083A4BB7E43DEE0D8688685CDA4859500E03666F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.133{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.086{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.086{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:43:06.081{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.370.54388881C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:43:06.081{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.370.54388881C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000805861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.581{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BF1CAFC86DCAEEF98A1A3A18ED0FFD,SHA256=D1C26CE5FBC669C43EB494BC7BEC2953F1ADEEDE6EF51E6D848B91EF3B82132E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.466{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238524D53B1D97BDD32CB1A074E485A7,SHA256=79691C30F01AE63CED8F1E733CD72E45268936F0D345A74F190BC2A013D109EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:08.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E809DA9EA6BCA39BC1FCD7624F629167,SHA256=E8BF3FCC5C9A1C103ED70E9A626182F39891160809A9C3A73474FA5D07E1AFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:08.497{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978DC6F8B6784C0390C85A044679A67,SHA256=E73F0415B8494775B93AB19D3AFAED75BFB9BC298A9B9C54403DA3562527554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:09.615{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E7A6930EB11D2792C91AFB4D1EE1EA,SHA256=DA42CAE428C5AA385A17AAB71066F673BF67E3D3C7D00F0F3EEC8422F7977BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:09.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F9AA072C9EE48BA09C919F8E31366,SHA256=8C387CC38AC323072CBED48F1B5185B7E8BC7AF5FBBA3E182889DED92BB66AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.302{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000805865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.185{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com63375-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001045727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:10.617{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B8FD60B6BCEFFAF17AED13BCDF50D4,SHA256=6A18DC49B1E50962E719A6DB06E63856EAF4167A873C39BD2ED4641F1438CA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:10.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B7B8D640E158B62F7265FCEF6E4345,SHA256=C49D6DE7C1BD1F709AD6EA4E0D2B396306FBEEBBFEEBDB839C78130B4FBBABE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:01.636{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50888-false10.0.1.12-8000- 23542300x80000000000000001045728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:11.632{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDE23B9D84E22FB786A16D8C26DFD7,SHA256=549B80970BF525A46AD7A5BF2C2E2C8F55C8CBE06C51D780E71DA1669A94A6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.576{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB34E3B0AF74F6CD867784F33D6BC70,SHA256=56D4346BD009447084396E1EF777B296280103CC950812D817600CF68438A907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:12.647{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B501697F5CBF24A3BBEEB99B2997AA1B,SHA256=59042F70EC4A6102DBEF9329744ECD83DE627AE3195444312093922BCD9D1742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.669{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74DB58B5B5441FA4F1013BA72D16252C,SHA256=BF711EA8112F468C361C3C213DF6FB6DA5F9CA36F52818403892FBFA2B407EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.669{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8CF747067E94A6B097C93CA19E1E5C,SHA256=6E22D24792C6B9B569991FAD5BA972BEE28234EF787AFB9A96141A02738644E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.591{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8231541C5F16D8AE9A9BF1F77466D81E,SHA256=589EFAAD2C5B832ECB1DEE6B91C256341CAE9376310FCA89E8325083AD7B7566,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:05.209{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57141-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:13.662{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4BB5530409A42C9F427EECEDB58B1,SHA256=D2DB92C2BB8BD7E61BC3E506410E223EF1FD19B43ECF7E012929D2F45B7CBDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:13.654{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B9B93FF00BCA284522C749F6707D89,SHA256=D08B04CC41A92BB78C497615E8716E413426D275AC5E2A9E0BEF2FABAED25050,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.500{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-31339-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001045733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50889-false10.0.1.12-8000- 23542300x80000000000000001045732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:14.678{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A00F87CAA22CA7ADF3814AA6DB03E78,SHA256=DD30A428C3E08A319AC9C27BBAB89065DD4B2D2FB4F56816252B3BFB29C294A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:14.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F845B4869AD6BB7B27864994FBAB57CF,SHA256=0D230F36D5CF05C79A70D04171B8B180DCE490239ABBCEEF74883807C481DA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.804{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57141-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x80000000000000001045738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.873{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50890-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.873{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50890-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.696{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72CE0834FC9F81AC8DBD20FD3DBC5F7,SHA256=581599A2889152571934E967B223E23472042B42F3299CC6C147725266424106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:15.713{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843D26EBBA7BB217FDBD996B0EEA1152,SHA256=10A592FAFACCF0A3EF6F62052714163A3441DF83EA536C664492664B8E09862A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6576C650EC8B80BCE4E848626A770FA,SHA256=CC4CF15AD9D9D60D9E13F7B16827893414849D1AB9DC89AFF3B6E2378D8A898B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EB8568DABAB187E4325E7F83A75965,SHA256=00360B33C82F6EE8807D8F69981AD0DA1159ACFA5B498C58C06CBAD97B7CCDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:13.208{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:16.715{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638FA9E2252F2F071D49AF91CB12F2B2,SHA256=3AFAA1CC63DBC2808ABBF575555853EE926F0204B74CE02510171A4696F5BCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:16.729{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA87F8B84B8062E1E2849FD040845B2,SHA256=E3A5B545EC35255401B6BBC434CA685B9F264B21D966A73AD26713B867CF934E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:17.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D1B24E206DF8190C993B4501484BE4,SHA256=2FB1C930861F2B3B4384BD460BB45E16761206D6771247648D2EC8EFB66E9F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:17.731{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FE8E8F7D53FB014B671E81A3D50638,SHA256=BC3FA678B547AFDFF32DDDBE429F6862975974AFB79039542738ABA9BB3B6912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:17.026{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74DB58B5B5441FA4F1013BA72D16252C,SHA256=BF711EA8112F468C361C3C213DF6FB6DA5F9CA36F52818403892FBFA2B407EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:18.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B73BCCD196B6DE64B84806D86DDA78,SHA256=A077B8EDD6C68C35E57D1F0B6558B2358A7A3685064875FE8F05EFF9A6EB6E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B051236AF1B7E6A73B09C5F51CF81B5C,SHA256=0FB624D3B7DEFBF01439A7BC7C95F3428BC6D7CC889794338B3672CCBD923F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.178{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:19.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1CBEC932E1768B4E9DBB712A5486DA,SHA256=CD6C77A31573FDBE53C86715DD3883A28FF3759A2B65C29172E33B587988585B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:19.778{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0C0BB7DAD10353BC99F6CC0741CC52,SHA256=F7C79F8BEF8BD6A350686863CB732EFEBE83AAB0D06F33E1D3D420583189AABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.885{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF98737AF8EE7496AE0341C7650CF6B9,SHA256=010A7A81369F105E245CB647383C2FC44AA2CEB6D903D4629A893F60518F3C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:20.778{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C4FDB005BCB137AB9638BBECF74F20,SHA256=4763C8BC04FC192333BCFCE6E986A46282D68491287A0187B38F3B8F9D2CE328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.307{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:18.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001045744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:12.653{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50891-false10.0.1.12-8000- 23542300x8000000000000000805887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:21.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB70DECB9660DD6FAB55C2F9C892C2F,SHA256=30BAEDAA4783C08CB01AD5EF5588A776A9CFD44CBB6D8AEA452B49EE4A57B8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:21.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C41EE2C625C9531DAD762B9BC61EC2,SHA256=71895BB5E813CD8A0FAE411B34EBE5CB89FAD643F29B10938F01BDEF78F24F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:22.844{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D267987A5D58FA83A6EC3C7B20474F92,SHA256=428631DE69F0DF62CA29EEDD851F37D19DC32E817187D73D0E1DC17523011340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:22.963{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5113310500A44E009F51496B7FDA595,SHA256=8653A632140F31B533723EDC4B6CCA7727CD06E54A236E6381654DB6FF7A7940,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.440{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000805890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:23.979{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CEA903A33FE7D7A4EA4AA160C1D1DA,SHA256=BF594DD0250B8313FB2B46297831FEFFDB2A1C1685D7296E2B51ECBA3C35D222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:23.913{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C2B8401F68288AD18F15BEAA68095D,SHA256=2B151289938E41137AC7FD0CF82DBF0D145DC03CCC0159C955E0DC49F035899E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:24.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64FBDFA263AE88808CB3CC421E8C668,SHA256=CF834E036EEA70907F3CCA773BA82542E2DE44F717A0700B3D1A8806DEC518ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.776{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.385{0C1E0330-F29C-60EB-3479-00000000D001}520868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.230{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:25.944{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBB617AA2DDC13B42D03DFE664CE410,SHA256=64CA713F3986D63CAA606AFECBCC85E296D7A14FBAEB28FC8049B39D0BF3F526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.651{0C1E0330-F29D-60EB-3679-00000000D001}25563908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.464{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000805921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.237{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.229{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853A9E479F94D2F15BCD545D107F415E,SHA256=807CD0B0669848ACB461DF0D61CF2EA5BD641700D31EC409056C8BA8DDB4F8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.229{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D10A039549DB5572CD996CEE013BB6A,SHA256=F0AFD45C5CA697C374081226297853BBBB81A51E14F8D00EBBB78A517AC9C972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD39E386651AFF99A05F50F2E06524,SHA256=99E951460C54D10C7E4D3F35CA4B3098BF876A6DA149E12FD8A15A00FF1B190A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:17.751{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50892-false10.0.1.12-8000- 23542300x80000000000000001045753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:26.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEBD21522E0F64414B46DCB72A330F2,SHA256=FCA390D9721FAF4EA886494A39BB1F20720D84A45FEDE169F3B0ADE65357EAB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.947{0C1E0330-F29E-60EB-3879-00000000D001}24003928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.808{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.698{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853A9E479F94D2F15BCD545D107F415E,SHA256=807CD0B0669848ACB461DF0D61CF2EA5BD641700D31EC409056C8BA8DDB4F8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.448{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EE9F5BB659AEB05FD790CA92B847BE,SHA256=8CA827F26995D4666E830934781F5575369F10D3EFAE05E29425D1189220C651,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.694{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-53243-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x8000000000000000805948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.992{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150FB7050802D0A16C59CA061A538063,SHA256=CC7D00FA3BBF31E36A03602B280817017367C875AB3BC2E4BF2841B3A91F786F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8881C08752F4786A7B5536D70F47F4AF,SHA256=0A5D2B394D24352D2F81E1576F69584C71DD761C998FD36588A4072B253DBD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149572522252F789C8A05686B78EAEF8,SHA256=09D532E82DCD3AC50CA3FC30AF4B6FB2D640C4B1DBC60EAA8B32DC8B7417899C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.666{0C1E0330-F29F-60EB-3979-00000000D001}37723708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:19.660{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.156.88.187chabka-hosting.com62841-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8C83559D34EDEE4F290BF4559D0B23,SHA256=52C207B6150F385A99C76A68862C2D412C73961F596CAC52F8A7F6F6DA6DC989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6576C650EC8B80BCE4E848626A770FA,SHA256=CC4CF15AD9D9D60D9E13F7B16827893414849D1AB9DC89AFF3B6E2378D8A898B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.495{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.682{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513511066EF03E91250AD8361308769A,SHA256=9F9BD0658EBF9F7152DBB1F0FA20496A60CD72D6C45767CFC1309FB645BF219D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.182{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.182{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:29.713{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44859898511B19BEFB62A71E4A935E0F,SHA256=C2FE4BF39D7E7A8C7E611CBFF773986A1262D2310767B21CB06BB1F4097D41BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:29.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E98EE942F4231E500D127CF2BB7CDBF,SHA256=04E51EE3D3B1B445A0BA85D0EAFFB00DA248B91605C8157A33F80CE676D2538D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:29.354{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010A4AE028416BA28251745B35975DC1,SHA256=66D7AD829E8B61D8E3205DAF7D01FDBE9E78C69C2D8711CB8627287659DD1F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:30.744{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA38D5D9D0BBDEAB65EA5D20754051B7,SHA256=E1F96603A0DDDDC31220128373F2AA97B91FFC061153BED5058764AC1E7E3D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:30.024{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15A2D139925B8C09FA4CE8F2CD11BEC,SHA256=842381F370BCF8E20658F6D2F6A3BC33C4EE48F7BA10258DB71F24724F8D9342,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:29.284{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:30.057{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABB74B54F8467AA15ED2B597E129B477,SHA256=584602FF287F791F0ACD8CDD40C169815AEAD283C5D180E861418017E893A1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:31.760{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE777A6323B815CEDFA26DD6F66FCAE,SHA256=CBAAD230AEDDCDBD140E1E952416F374CD3244FD23A615C0B2B417A3CCCE7744,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:23.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50893-false10.0.1.12-8000- 23542300x80000000000000001045771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F18816DB928C03D3424641D7172E6242,SHA256=2AE4D329D00A0EBE5CD3858DB17167C16217E44B1C858BF18C0A81E5D5A1F7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CBA11A5716F14A317251C468B6ACA489,SHA256=8C8136AF640F13FFFFE9BCB1E9FF50F9419D8B3FCE1BFC5C83BAE5AD8BBF8AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=22FA2A570EAE8DD955ADB82B9107E5F0,SHA256=7D733A41180D449F66B635E2B0F8A7DFD1EC340BD9B0625D0716823F15A6CF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2918A292081A7838E747401E7CD4DB01,SHA256=EBA15BF757F74A86A74859501302A2B6118DC9D11246A6F195141451707F8BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EA87859B9BB0B5F4B8FDF330D16917AD,SHA256=724998DAF06AD6D611996656D74A6F27779485C0BC0F5B319DE27C8D25EF1283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=227A6CE7ABF4025077DA5499D6EBBFEB,SHA256=DAFC57838A7604DD22C6B41EB8841E36180F38218C682863FD064BCC3389DCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=226CAE16BE395963391E24E05D84A06A,SHA256=FBD11B7D362BD42FA3C8D96A65A56B742ADC357633CBF2CD5D8E69852AE00B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=830001BE95546DCC283306A0FAF46F3B,SHA256=47F7D6AB8C41EF6D034ABBB00C3571DB8EF63DDCF82761A7A0DB0F4DEF617623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=03FC1A03F683288E9DE4D76E4D3AED16,SHA256=C5106B40B8662BC6F6D2FB81B3DB4FCAD82678EC46ABFA96DE35F5FF7072D26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=097E664438F0DE7EA0B585C52A6C40A6,SHA256=580321F5EFCFE0009F6DA8C9EB773E3098A167DA3E1894B5BC172D7AE7CDF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BA4DCC7C7DF6EAE13E4305518B1F113A,SHA256=06CC7BD6E5CD5A2931E28A46860AD32D7D53E53218DE24709D2F687C406F899C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.039{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A2D1B683B7A973E923259BDD2524CB,SHA256=12615CD617DC556DB62B79C441C427C76D166597B22F6967391414DC9770C8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:32.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B22371E30331C527B4E5F7634E4170,SHA256=D326AF25A472B18CAEFBCFFF62D59D04122D8A35D5933B8EF4AB4375120E4D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:32.054{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47D6FDA4B9E4DFC04E51910AFEB359C,SHA256=601162AEB5953252FD9F2D670EBC43BA58D7CF3BEBB013DD5981A08A3F1F9AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:33.827{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9735E6625E43EA7E0D5E7D3BBC22024,SHA256=40C1955C6A3A5655C66FC677C662035DCF5C68E3BAC624F9F2D8E31539C6BFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:33.070{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1B72261F5701D0D4349470C10809FD,SHA256=39A74E0EE92999D966562A1A40248830226CA34312A8BF3C790937D4838F0651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:34.843{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991D1BCE881E82A1D15170524D7F21BE,SHA256=965EAB7FCD28DEE4CB74AEFBF0B75A53E3F802B230071D357C63AFA17F5A45CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:34.122{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7876B409DD10DD9EC419CAB5663FC222,SHA256=0A907B7416DBFB92D76EAD9D6D217BA4ED72EB4C011B620CD7DF39393D4FB05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:35.858{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55C1D5F27FF634781B468BD4689F671,SHA256=DF2CD03C5D69EE712C99D36196458F62E4F613CCDC12A73AB8EF3F13C6BE4C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3D0DCE74CADA78064CDC1545F63271,SHA256=F4861E7AF20F0BECF8879F469248BA40493610F908D519BB9173E88BE04EE687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8C83559D34EDEE4F290BF4559D0B23,SHA256=52C207B6150F385A99C76A68862C2D412C73961F596CAC52F8A7F6F6DA6DC989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.137{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDC217BF56AB42A15BA68910C0E0B5,SHA256=C737BDD26B3510035811922F0F395ADBD23CC89FD40811A2B47021090E459403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:36.874{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D66BC6D51B327169087CA0BD1CDB46,SHA256=B5973523151579EFCB612921D6D75117E63AEFFF2ECEC5C4D6561DDED861947D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:29.313{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57148-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:36.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5949E194787D7593BEB25296FD0854D,SHA256=E81394AB1AD81666705F4AF46ED825BF6C662FF452FDD6255CD85BFF1604666A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:35.624{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-25037-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000806007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:34.398{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:36.765{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DC534C9AA5222E16143A8DB6E712EF5,SHA256=E77F7BF9A4A9657441FAC2D5AADF43AC793238432AF7D551AD803B47B1446374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:36.765{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=027AD932C80E6D5AD96B537FC0F3544E,SHA256=D80CCAC1B13D8F91027D8C075E06DB8619394BF1108F219E45D833F6011287FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:37.875{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC71181C180CB9C0215A2ED43BB9B6B,SHA256=0C482228139B4D03EC0542F334680738A56030FBA013A56EEC15BF072CC377FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:35.908{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57148-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x80000000000000001045781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:37.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345A2988F2C573D4B952A21B4CD7127E,SHA256=55695CA27721B796FD12D43A0C29272DC8C4F9D56B91077D78BEA4FE7C156C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:38.888{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C87426BB0E86B3FF16148676234A57,SHA256=8BCD4AD80BF95528E298338C5004A100D7D15555A70B1EAF18AB928F90BB37EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:38.436{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=869F72B7831B27B8C703E55BB38D8D1F,SHA256=5CB0AAE7AB5539AF6E3B88D7723C0588B64A7F53984B14ACA45486BACA49571E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:38.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BDC5A8C1F0CDB526ADD68E30C062B1,SHA256=6C6D6D54039DDEBDE6E373C998E0F134FDB48C3C67F3007248A94096F46E2027,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:29.710{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50894-false10.0.1.12-8000- 23542300x8000000000000000806013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:39.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C5B03DE50A49C066E115F2D180A30F,SHA256=E4FA9DEC11DB49E3D3AEC60C9E02B44900A2B78520878D01053BFC4C8516B49B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:39.250{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45EC4EB0B959C959E3CBCB83CB55139,SHA256=BA93C2B31A7BD70B9F91987EFD4F3274CC4175F5EA4B87D6F8354330991A0917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:40.934{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC16AF42397E68B384BD3BD492E644F8,SHA256=1E3C0D4AAD4C832B13F83A4BDC4AB4F74159B80976CABA56677652EA81EEC2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:40.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C582DAB143D6DF88C36C2FE3DB45CF8,SHA256=A65E5CA5B7A8C06497E5F41F3AA77D849A010AD874B7880B2F6992F16013C097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:41.934{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5026DC0A9377B6A74252C10515A45E52,SHA256=64628620CCAFD48EA6668AD1120263AE086B9A8D92FD1374A7605A20344345B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.283{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316FF4602A79E0B4846210C0B36C7A2A,SHA256=BE648042DB98765170AD8F67AA16FC282F3CD21832EDB5BD9881EAE6F7B67356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:42.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0C692891293D8A74DB90F6D58DB5B0,SHA256=D302EBEB84FC7A024656D3824A759ABCF771B799581A2245C6D5F85A301E0FFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.588{466BC892-02AD-60E8-0A00-00000000CF01}6163760C:\Windows\system32\services.exe{466BC892-F2AE-60EB-E57C-00000000CF01}3908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.567{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F2AE-60EB-E57C-00000000CF01}3908C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.567{466BC892-02AD-60E8-0A00-00000000CF01}6162696C:\Windows\system32\services.exe{466BC892-F2AE-60EB-E57C-00000000CF01}3908C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001045812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-F2AE-60EB-E47C-00000000CF01}6836C:\Windows\System32\taskhostw.exeC:\Users\bob\AppData\Local\Temp\RDR7774.tmp\empty.txt2021-07-12 07:43:42.552 10341000x80000000000000001045811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.505{466BC892-F2AE-60EB-E47C-00000000CF01}68369920C:\Windows\System32\taskhostw.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radarrs.dll+b7b9|C:\Windows\system32\radarrs.dll+7579|C:\Windows\system32\radarrs.dll+5d54|C:\Windows\System32\wdi.dll+1eea|C:\Windows\System32\wdi.dll+6e21|C:\Windows\System32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.505{466BC892-F2AE-60EB-E47C-00000000CF01}68369920C:\Windows\System32\taskhostw.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radarrs.dll+b4b9|C:\Windows\system32\radarrs.dll+7514|C:\Windows\system32\radarrs.dll+5d54|C:\Windows\System32\wdi.dll+1eea|C:\Windows\System32\wdi.dll+6e21|C:\Windows\System32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-1400-00000000CF01}10289576C:\Windows\System32\svchost.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radardt.dll+11319|C:\Windows\system32\radardt.dll+f2da|C:\Windows\system32\radardt.dll+727d|c:\windows\system32\wdi.dll+1eea|c:\windows\system32\wdi.dll+1d2c|c:\windows\system32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-1400-00000000CF01}10289576C:\Windows\System32\svchost.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radardt.dll+d1d3|C:\Windows\system32\radardt.dll+f27e|C:\Windows\system32\radardt.dll+727d|c:\windows\system32\wdi.dll+1eea|c:\windows\system32\wdi.dll+1d2c|c:\windows\system32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E352059B1DEDC7CFA9EFB28A4027F8,SHA256=87231949063C18020C8DE6A982BD6456619D511A5F8AA848BA596E4DCD962655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:40.364{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:43.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0776EF4179DCC9612F11AC2E03C7FA,SHA256=EC31383B7EC3C307BF54020451CA3232148551CAC3F81D4CF56293B1B3D05A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.483{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BC6707CF5232AA9CC977B3DF3E4A3608,SHA256=8D9C82E7B412083E55F15E61DE483A22F5233243513351E39E60075B1C8577D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F0766E215A29EC8D1E4E7029A4F1BB,SHA256=CA11BBC5E07BC51FDEF1B0DC4739FE072FBF8F652C167597016D525B7DC12DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3D0DCE74CADA78064CDC1545F63271,SHA256=F4861E7AF20F0BECF8879F469248BA40493610F908D519BB9173E88BE04EE687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BC6707CF5232AA9CC977B3DF3E4A3608,SHA256=8D9C82E7B412083E55F15E61DE483A22F5233243513351E39E60075B1C8577D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1BC07E5FD8A18F8F289EDA395661EA4,SHA256=AA70BC0CB8036F67BD83D1671016762B24DCF1085A7E5030F5EA82BF867967D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D2C80ACF2B21B28F0C614BDFD7BA1D,SHA256=F80B054496C3C9D5EBDF14EF6C99BF1C2DC489782EAB78A6B837E501430DD3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:44.966{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF725499AC76854CEAEF7F7406FE4110,SHA256=A72674700E0480890E60281DF4449EF14CC995E9EE6913FEA13F67A6D17BA467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.470{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B20C684458B4750032DFA7B2D11C1E2,SHA256=232D72640F72E9745C1022B9DAD20C09BB9870624969812175920EA07962E1CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.678{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50895-false10.0.1.12-8000- 23542300x8000000000000000806020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:45.981{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FE243EA1B1870F444BFD45FCB9405A,SHA256=FEA0682417116741C5DD65D2A0D082FA5CE7FD7389CDCEA04BA49361B39B4323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:45.487{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619A85D532919130759276F45C8E4C25,SHA256=CDCC222059C22935E00B5FD84FCAABDF429867ABB5AD3118DBF584F3F292943C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:46.981{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBD4F946F1CC115E746D58B552918F9,SHA256=758CC8630851D1326A7AD37C9E79582918BC6D2A79C5E3E3D2C40DAD7AF8C913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:46.507{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C6E48CA68A93686157A9C3B5EDA551,SHA256=CA4D3B1889C31CD214BCEAFC9942D1619DB689EC7D394B99C676DC4095151A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:47.997{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AAE8E051DB5DFA1D1F582CDF102458,SHA256=F4E9C98D2976452D3C7AEAA3BCC9E5A7F6D1EB8E86EAC92A583854E59D404699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:47.521{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730D5DD25BD6F71B6737857C5465E2C9,SHA256=328E53BD5689B250467F12FC822D5170848284D3E11A168D0FC7374322B30C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:48.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E120EF29D27ACC41B6CE80B4969695FF,SHA256=B86A4C1220CE5A2FCB0B99AF96FDDE371851F0440788D4B0F8CA1BDDAEFDCBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:48.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F0766E215A29EC8D1E4E7029A4F1BB,SHA256=CA11BBC5E07BC51FDEF1B0DC4739FE072FBF8F652C167597016D525B7DC12DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:48.522{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB29099507875B52017FEBF13CEDE2C2,SHA256=54796EB19D5BE72E490285C57AA57888B367880402B63069203BAD835820BA7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:46.239{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:49.536{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9131F5B7319B6E2979A7B16D2A2ACDC6,SHA256=8BB0A45D6B362E1E197C91DE3AE9285EE4A73EFD4D96602B870C7ACD34AB4CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:49.028{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E8D6A35C79A165918410427F8E9447,SHA256=31D57C8EC53D8DBCB33F1D95AB1D3C9F0E51FF938E03C78A3FAEDD288008C495,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:50.866{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001045855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:50.866{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001045854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:50.866{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 10341000x80000000000000001045853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.835{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.836{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.566{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD91BCF0D8DD72C4800AF155F2F9B3B,SHA256=5ABCB6271580CDA110B9B288E13672BAF050460EEEC024664013BD42703A43E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:50.044{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548BCFBE6A609715F1F1AF972A56C0AB,SHA256=7B529115423F1A475CFC4726A393674A03E8EC1E12A50C03798CD2308DC6D0F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.367{466BC892-F2B6-60EB-E67C-00000000CF01}98884212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.152{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.594{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50896-false10.0.1.12-8000- 354300x80000000000000001045869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.409{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50897-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001045868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.408{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50897-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 10341000x80000000000000001045867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.735{466BC892-F2B7-60EB-E87C-00000000CF01}65044136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.567{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABADA92348ED8C99392F85336B493BC3,SHA256=82AC2930D9E1F3E9F8F42BBDE23DC20760BB82BCB50B701232B234B331370FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:51.059{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB1412BE5079D5E36E7288A7F4DFE0E,SHA256=8ACBBE561FEAD60DB4245CF79B73A0485C62E9DF4CDB477272674FCA42A437D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.536{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.521{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.152{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E120EF29D27ACC41B6CE80B4969695FF,SHA256=B86A4C1220CE5A2FCB0B99AF96FDDE371851F0440788D4B0F8CA1BDDAEFDCBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.805{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.588{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2161C7C582C8CD4621B4B269E6269B,SHA256=AD7B071CFE1FC934C2825CBD5F3819ECF668C487FB0FE668E2511FDAB1391529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:52.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF596289A5A448B88E86B6810B7E08BC,SHA256=581CE307040E50D6C992FF95DB24C99B5DEED9556E97E75E8D728CD5636F015F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF63A398D3BA3DFA02C909F124B6F2E,SHA256=8A22A386F4EA73A453814B7D9F36A658AD18DF0D3A7ED8335FFBF940A1421E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.435{466BC892-F2B8-60EB-E97C-00000000CF01}51969456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.204{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.966{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D08FF44FB089FCACFCDB0BFE42628F,SHA256=4A179C8EDC7E693A10EE1DD0B7B019EBA7B1B8A3A8794692267A1BF270E9B75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.919{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D2F5DC555E0D12D657AC4508CC16C2B,SHA256=0351EAC9EE10420132AEA6352E4909FB84CB30DF2EA15899AED3C98B9AAD8382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.750{466BC892-F2B9-60EB-EB7C-00000000CF01}42285164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000806029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:51.396{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:53.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD077EE97A721B3FA6E7E15A840FB254,SHA256=2C3B156BB0EA9C54DED0BC9BAF3E14181EEEC4E382C46A4D901114290DBCBC96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.482{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8AEC05EB6B578A79FA74D561A279507A,SHA256=D81027696BB44DF8596BE262978DCF9B09D1AE3B3D81370CE73DB43C27737D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1A9B21082B0187C1488CE30BA455CC6A,SHA256=FABB4FFC11B736A6DECA37A2B61E530A8DE041E237F19561760EDFEDB4826526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E483D43A052D48F5B499011D5F02576E,SHA256=40A8751BCEB02BFD8052C20515264F56FB8296AB1CA6972BD3C08F34B6F60A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C9655A72FBD2056C779BECAB29470A35,SHA256=EC9EE230E1DDA8EBAB1146AF3381481C1BA06795323160E856809FCD5F153ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FBAA04BC7D06E622D6F14078521B6D42,SHA256=5B7ABC468DBED5F072968E42B09AA099B03FC723AB589586951D53909C2F4498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F63505866B8F3DEA89E97025CE408D63,SHA256=830D77DA9EA87D3329DDF5E67BF20906B00C6346ABCB757EB5014AC98540C3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F0650E538054F9C3A6AC3BC9A414BAE3,SHA256=FF8FC7A30C74EF84E5375DDEBFD8790356DB0A90A5ECD990A984557894CCAD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.286{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D318B26277E458D8BBCFA6BDB603D030,SHA256=C4D47F04634EA120C176548CE6035265A087390598D411FB1A82D61A57540DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.285{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=66E2BB82E74BBCC452FAE6EED701AE3F,SHA256=0BCBCBA5A2F27CBDCA0F83CDDB3661FA7ACBBDD45FDEC9D330598662178C5086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.284{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1943E61F7167FD89431CA24B172EBFDF,SHA256=4FBD2B74781241AAC94F8E44518E982AAD3765C1514A77C1F063796DEF724A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.282{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4EA1A58E8BF748457118E000CEBBA008,SHA256=065C3047B2D937A70E318BFC2F44DC3261E0B69335E46297E0DC7CDFD66F727C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.445{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50899-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.445{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50899-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.435{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50898-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.435{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50898-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001045923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.786{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8435CE5F5FDB571FA1233ED003A1085F,SHA256=ADD53E8B07ED7FA64A275804A5C2D6EFF66039982099FF27C7324833D8359801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:54.098{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAA14F28AB8A32D6D8C423EEA2284E7,SHA256=38918E8264CB9D6291929DE78CE0A8AEF6A8D4ADB669E870550E71CC9A81D11B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.151{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:55.817{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9433F5118046846DBA501EDFC91271C1,SHA256=CE2137F7EC7AA4105996E2D9B2D571B4A5E8ED3A12A18A14C985D32AD59BFD6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:54.237{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.226.223.195-59286-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:55.098{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B871AEC74EA4857E2CC5BBB13CCA57,SHA256=08EC9FD9864ADB942F7AE31EE52DFE4F0BE8E7F41FE4F22664FECDDAE8D20AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:46.759{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50900-false10.0.1.12-8000- 23542300x80000000000000001045924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:55.164{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FFD8A398F93F7E17CFB1F06096DD8A4,SHA256=65E120EC0BD575A31EA318AD0A28549CF7325F17CCA572EF5A253267AC957C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:56.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FB31B565B6BC58A1BF525711722313,SHA256=73C420E94C8F4AC57F9DB3CDB2110FA4590CE35BB0AC7CEBF9A8C2F8CF758882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:56.582{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8144061D94BE60169DD3A6AABA4C8C89,SHA256=B902A100C46DDCA510FE94EB5FF14DF5FB36E5C371A246F037EC7A3F9B2895D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:56.582{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DC534C9AA5222E16143A8DB6E712EF5,SHA256=E77F7BF9A4A9657441FAC2D5AADF43AC793238432AF7D551AD803B47B1446374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:56.129{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A493471BC8517D7DEAF24AB75A06E5,SHA256=57F535522CE76D6EEB911DAB78B588F5E1C3522990543A749AAAEA48582E3823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:56.732{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:57.863{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB0CA2D9F13AC31469D8D5A28977E73,SHA256=1FD45FC8E8D3505248D43CC965DE463C93769CA3AA94096E622F697070E0DC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:57.129{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6413FCFF21ECB98A5289B706EF350102,SHA256=D88B2FD953A097F1D6A4806BCFBD0701AF5F5768DB0CB321B12DD17AA39399EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:58.881{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BBDD9F746264D4675636920093A631,SHA256=66D542866C6CA1DF30B0E3EAC05C341266383465D84E799D7CDC55CD4D0011F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:58.144{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A4FE553B2B1EB7B1D999A9968B8690,SHA256=3D78D08ED47886B19ED44C15133B712C71EF4763EC4DDF3214DE90CEF5C128F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.273{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50901-false10.0.1.12-8089- 23542300x80000000000000001045942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:59.915{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687C067EAEBBBF3B2541B26B6526E526,SHA256=1DD62F5EB0E95406842C3DC61E260073FE653147C274ED97A309FB6E6C39E358,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001045940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f61ba0b) 13241300x80000000000000001045939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x4af0f7fc) 13241300x80000000000000001045938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xacb55ffc) 13241300x80000000000000001045937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x0e79c7fc) 13241300x80000000000000001045936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001045935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f61ba0b) 13241300x80000000000000001045934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x4af0f7fc) 13241300x80000000000000001045933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xacb55ffc) 13241300x80000000000000001045932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x0e79c7fc) 354300x8000000000000000806039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:57.309{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:59.160{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5778DC59C28DF4A5DAA518664F4276,SHA256=69466B56E62886DED1D74A74BAFF9DDFC3A8E94FB468C8A3A3803771E61A4CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:00.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFEC24048A384D9D581B0ABABE92686,SHA256=54109DC3DBA182A92C58FAC342D074C63FC0912CDDEFCE9538BF8E3FACE2FDBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.656{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50902-false10.0.1.12-8000- 23542300x8000000000000000806040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:00.160{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01630760B8FD09FCB2EA363156742B5D,SHA256=F508B3F7AC1F4431C5805F68EB58DD41CC933B2B602A83C07AEF6FBEAD3721C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:01.977{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D630D7395CF2EEDB2B48151BF3D8D0C6,SHA256=F0F5051AB96EDD5B78056FA1F4290590E86473529169BA417A10AE9FAC3AFFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:01.207{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4862FC3E2D8B602D0750643E02F03E,SHA256=57303DBEFDDF5335A9F6A6930EF29421E33DF498AAE48631F43E8ACC35783CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:02.207{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB41BB2AA9009EAB649486888990A3C,SHA256=B1DB4234187DEF0FE739C3F3C68F442B6D7B891FDBBFE4895EE1FED4F4B4EE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:03.269{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F266C5658591992600687A0E91B85FD,SHA256=24B13094043C19FE989DEAB932A8D4811C3F4D740AC3F9B8D34D5920BC2E5C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:03.012{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EABD3D6014278955146B66F8F02576,SHA256=CEA2E09A130DCB0772534F8B17CC1EC0F7115A83A91D64B097A6005BD4FE9AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:03.231{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:04.285{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF746B69849F34924F48851C4EC1E9D8,SHA256=29D431FADF6ED16FC04B9E0E9B0CBB049005DDD535C4C719F27AADBC77F0BF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.027{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B74FD9E4BD0307C32EE494A8333DC9A,SHA256=54F6D09BFB22C43C60AEDD444FCEB0EB2498C07A5256C00C648CB3992C312260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:05.285{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E724A5CECB4B542473D94354093EDD58,SHA256=819ED1766D5A36A1CCF3457CF4E2C06D704E3127138F9DB558E12A0565C6A3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:05.041{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0F71DA909199D082B0ABDA49A9D463,SHA256=BB407D374779F6F331DC4141D0C9E8DA36CEE02902CDE17C051436AA9D0A09C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:06.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98992866668011EF9AA1AD8E50A51C5,SHA256=5F1F7C2D03F0543B1921B7723B2BC360A7D261395639FB11509B3A5A062B276D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:58.650{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50903-false10.0.1.12-8000- 23542300x80000000000000001045965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C2A5EBF036AAE0DBE95A4B46AD188AE2,SHA256=ED0961729199833A680162C96B35B15EDD943839A6C5F0AC38A6A052C1F0DF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ED34875B163DCA845C0DD614380CE8FB,SHA256=6E1C330AEC001258E27481F4FD43D03B22787ADC68DCD9FDA350C9850241A26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D4EB652B47860816D4DA4F31E4FD8CA3,SHA256=79355997BE8640DDDD5BF231339966F63D70560768D9EE047ED1D2D0E445DF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=10EC0F2E6672BB13172D48C31D73E3C4,SHA256=CC0E1994798B8EDF77E4DA9DF366AFCD953A55F6B7E3FEB0ACBC24600877D229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=45BCD4EB5FDBE47D5603997EB949DD7E,SHA256=B48874B723AA3D45B9268044824149118D59C4B7C749055D89B0A1A9686C4BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF869595511F3594F92E8D69D234CADC,SHA256=6DB9D06BB1ED93C17720E1E4AFF033C58A0F66A435D197F3BBB9F347B4E41283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8A81D9F4E3336E823202017DDC3B257D,SHA256=6F62B9D1DF9064BC20D4EFC3FBDC30123C581DB127D3F131EAF5856776ACAE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E649761957C22EF5F610715D57F77690,SHA256=03A0ABBA5EB350D63A02D12D08FBD42D57FC836FF5647D69BA78B25E716B84C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D9731033594F51D632472CE46A678CDE,SHA256=1B98826CDCADCC2ED9B2434DD27C4EC400CF485F6266C8F9316974B07E07AFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.125{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7441F74B29EBA2D472A712DD5F9EED2D,SHA256=ACBE57FF2A26BA11C9B8AFAAA0E219FD879926B561D84EBB11A77340F07CCCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.125{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=12635014EAC728EF58BF73D3C8457F72,SHA256=5C68F5D0A5969D825DD51D5B485C3A13596B9ADA45531FD5138DFCC24C3C1B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.078{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.078{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:44:06.075{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1211.104550499C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:44:06.075{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1211.104550499C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001045949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.056{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC97FDB35A31FEA5C8B45394CE38DF9,SHA256=4DB954B1A9373A31175C03732F00966CF0B1201D8234349BABA617844DDFAE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:07.332{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B43A6C5B7451391E46AE3ECC7CB5D9,SHA256=DD6A854F0BA9498D022DBFEDB77FADA584472DDF511A684453F0E76914A7B963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:07.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54857CCDDCF9791F1989BC69FE7C750D,SHA256=47994C294B3EA779DB01710D1C9985EDF4E4723E99D4053355CA71EC373A98DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:08.332{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A90AFD130DF178AB47CAE0481D9FF57,SHA256=AAB3FEC079E68E444C202AB995DBC83F58CA2763692E4809B04CB40CA93856CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:08.094{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA937D0BCE7F2A7866F7A5C8861206C,SHA256=7FF4562BAD466C421065D9D85092D0F93303A5565CBC03872E8143253FD8714F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:09.363{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F050D7563C05EE8887BB2FA605C8037,SHA256=EE9CFE2A6AB887087B4C3FB01C85936BB8B1FD021BD1ACF824A2932B2240DD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:09.109{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C94923BC9E6A187890440AF5FF0216,SHA256=6322E0513F878E15CC471CB8F536FFAB019A0A14F66850E29E84CEB7B8221682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:10.395{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5668137374DDA43F4850642CCF353E6D,SHA256=21CB6A1F04CBFFDA2144C3E25A5600D6E661F812446FB2A1CF30D3F47138232A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:10.807{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001045970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:10.123{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75762C31D2F8A9508B9EC8DE0377E9A,SHA256=79CB4F5CDC797E83B67959643D0335FCE89DC17A333D2C3BF0A1246EBB33E2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:11.441{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257DF19DFB269C60AE3D84487BC90BB,SHA256=0ADFC8AF63516368EDAF252723F7ED42192E43F01EDD39AFFF74C557BEBBDCDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.251{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50905-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.251{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50905-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001045976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:11.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9ABE4F4CAEFDC527840058A6E15FD56,SHA256=AD6FCE8A29DB3BC23D05737B30262E38A69800DF9BE436C09D6838EB22680B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:11.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0254C31A1A63D6EC0FC257B6F370D30,SHA256=0E69469BAE4A8351551C7D15468D8B25F2E59F97599CEE22219FC7144C98917D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:03.891{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57155-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001045973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:03.810{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50904-false10.0.1.12-8000- 23542300x80000000000000001045972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:11.138{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7C8767F43A9270CEB159CCA760D3E8,SHA256=5BDE3AB5D8425F2C4303C2F62904531942F750589F9FE079432D52AD9682FAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:11.348{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D585CE5E9B65BB526C064D826E460672,SHA256=41196DF8BC374D71A5ED3FCD1A2FE9C85BD5EDF0E17B4D870C6BA598ACAFE066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:11.348{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8144061D94BE60169DD3A6AABA4C8C89,SHA256=B902A100C46DDCA510FE94EB5FF14DF5FB36E5C371A246F037EC7A3F9B2895D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:09.215{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:12.473{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D2DF01C27C275041CAC6AD7547C96B,SHA256=A783644B3C097F2144F7E1D684EAC390C6874D2FC17161DCD7CA792DF1D2DB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:12.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D505DBA3BC9155AB44036A8F5144DC1,SHA256=5B41486B9DC22A34E724526AB010EEF86C8976F889C7094B98FF4200753B1FC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:10.181{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-38730-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:13.504{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DF4F9BB1062400367968C77344B4D6,SHA256=C867894929327CD3FEF8A52A787A17B4E16E05E0AA8CFDF0E9665C007E079885,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.370{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50909-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001045987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.370{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50909-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001045986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.367{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50908-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001045985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.367{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50908-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001045984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.366{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50907-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001045983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.366{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50907-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001045982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.259{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local50906-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001045981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.259{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50906-false10.0.1.14win-dc-890.attackrange.local389ldap 23542300x80000000000000001045980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:13.160{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337489B19ADDAF0A184C30B1A08F01CC,SHA256=187FDC34F38AE2860CB8C8EFDAD0710510AF7EFD4915DB1F9F112CE8CA153567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:10.487{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57155-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:14.526{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D3547F54185C4FBF9D2FF21656A418,SHA256=5D118B88A7E44FB1368784639D34E4BD778B5702794E29E9481E301D69FC92D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:14.196{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EBECD9DF45ADC106EA726FAF5D04A5,SHA256=CDD4309CCB5DF9D8AE90763293457D4DA77D89B76BB5143DACA59058603CFD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:15.542{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0D662D18753E6F2A07F24E522F5B31,SHA256=52C857DDF1ADFFC72C07E2A0F9DCCF346CEA3057C094C8D7EB90CB4D585D597E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:15.357{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9ABE4F4CAEFDC527840058A6E15FD56,SHA256=AD6FCE8A29DB3BC23D05737B30262E38A69800DF9BE436C09D6838EB22680B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:15.210{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3AB04038C96EC5D0BC0A916EAE956D,SHA256=2941C87323506F2808444D1E81BEB6917C0ECD03107D982FF785E9290643B66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:16.636{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C163C47073A610748B0B041CA23ABA,SHA256=B3C2F86F1032BB0595E612FBA98D7457F646452BFC7B7DEAAF4EB1B08E72F0F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:07.883{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50910-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:07.883{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50910-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:16.225{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542524A53F620CA327E9B620998A9F9C,SHA256=8D2817591AAF519C35D2D34BE638F6333BB831C1681653A54481D0F4D28F6D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:17.651{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01ED1FA7F231DD8D4D2708417E6E53E,SHA256=FAAD1C91802696EDAD4143D52650D8CE64FCD4FE9BB418593845AEF0316B9BF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:09.812{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50911-false10.0.1.12-8000- 23542300x80000000000000001045995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:17.240{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA9A66F9F9521BC0E7B8116D5D1CBBC,SHA256=DF2F551148DCD5FAD453F407DE63BECF90AD6F5FCB6228B71FAB7F12AC9AA832,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:15.191{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:18.730{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31593DB1BE467AB69E009FBA585047,SHA256=0A86591B44872674AA095F003466685D7B10F40FC77496B6A8736D7BC4D706B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:18.254{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33DCD40E04E1B095F436ADE8576E554,SHA256=D3B10DAC36F18A5CE4C75ED64E35263616923912BE17D743F173C616B5BB1EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:18.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:19.730{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00118FAAFB2292B6759E4EC07DB51BA,SHA256=694BE508649C568D0D0410FB3F447D4B94411B1B9FC62396819CCD9D0D801E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:19.272{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FFC98216B8186FD1D417F617A1E2AD,SHA256=B068ED4B1D1D5761FC3A8B39454836090FCC23CB58699FFA1B31DDB30AE1EA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.745{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083E3CAC5DE3E3D0AAC44801B36C0D93,SHA256=460026F4EAD1EDD198F2597242ECCB28600366F727EEB8A7634329802568DCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:20.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E01DF148C56DEEBEEC1B50AA263958E,SHA256=5C368C3B93DE4CA8CBAB8FCD61C3C93BE307A65BFB58B68EFC92DB0CC434D64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.323{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:21.761{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECEA9461A10948806661781FB8E1FB2,SHA256=B47C0E2CDAA731C999112513A1C360E774DF1BF3C7433399F5CDE78E864B87E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:21.322{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A4661A124AF2EA0CEED4A03A3D0AAB,SHA256=311168A0810ADE3D9D4CE7CD6D5C7C96C95DB2AD9D9AEAC4E918470BC8E1446A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:22.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236090CE0B22C4BF5782261EB9CBB2B7,SHA256=3DC5E4D64C4DB1A870880318E125C3023F72EC5842886E4A7790067ED7B6DC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:22.539{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584A2ECFD1AF641152B1951EDA786592,SHA256=0594C17B0D1896C2069894E5950507802787E693BBE9B69D1A39698A2EFA6674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:22.539{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CE31E3AD68B6B8131C6B5248BF5BED6,SHA256=EE7E1776DCBA93B42FE1B431E68757A247928BE013085433B1C0F295FDA42C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:22.323{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D00E047BDCD7241373AFC4D3E95614,SHA256=960E3B582EFA0ECC3356B8E7633C234C5E96C0834964559103A0D779B4492DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.457{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000806070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.378{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:23.792{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C96826CF9B3D76E14C5BF6DFAA9077,SHA256=89C14FC94A5A04490EFD4317F636006AE147D6BA9DB122397011294553D5CD46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:15.709{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50912-false10.0.1.12-8000- 23542300x80000000000000001046005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:23.324{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A39CD5DB7A6569916B82986C2517B9,SHA256=28FAB9D5B91688063642FBCF124839DD5ADC42029C60CDB655B669F0385F6F9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.918{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.792{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE9FB731A6326E3C9A49A20FF3EEE10,SHA256=E58DD7F4EF876C69F0DACFB58E4DA5C81C4FD4DB3472345FCF657AB50D502CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.355{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBC09ECD6322AF706CD424D1FB004E6,SHA256=693FAFD1E9D91AF0DFB4F2C1BFA015AE2A413710D774235C20BB01D47DA4ED4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.401{0C1E0330-F2D8-60EB-3B79-00000000D001}10563920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.261{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.230{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001046012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.176{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Local Disk (C).lnk2021-07-12 07:44:24.176 11241100x80000000000000001046011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.175{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-07-09 11:41:53.105 23542300x80000000000000001046010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.174{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=5B22BDA347FB1CD053579F9F48B338F8,SHA256=DD33F7D15DB8053456579D01FFE48AA9391F24C8F2B5DFDE536A5732F164F069,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.155{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-07-09 11:41:53.105 23542300x80000000000000001046008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.155{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=98F916204B1BFE6EDCE8A3DE463888FD,SHA256=36216418E32609EA2015155783A773C74BD126B45F7F969E566DCFDDAC17E7B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.124{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001046014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:25.392{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D126EE42CE3927B38292B34E84F9C3,SHA256=95D734F92F68D2E435F832CCD8D6B7B2A29ED5F375E5D841A8AB06DB3B00D6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.761{0C1E0330-F2D9-60EB-3D79-00000000D001}20001140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.245{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF65A053BEA574591998FDD9C246F52F,SHA256=09ABFDA1E83743F76CABDC1A5DFC1E5383955AE70D652522DCBC0239EE7C6960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.245{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D585CE5E9B65BB526C064D826E460672,SHA256=41196DF8BC374D71A5ED3FCD1A2FE9C85BD5EDF0E17B4D870C6BA598ACAFE066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:26.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAB55C13808214866890E32204FD29A,SHA256=7274F81BCE994CAA77609B6E985BBDDAC82C0A71FDAA1114C37742694D6A8B02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.980{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.980{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.636{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF65A053BEA574591998FDD9C246F52F,SHA256=09ABFDA1E83743F76CABDC1A5DFC1E5383955AE70D652522DCBC0239EE7C6960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.293{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.011{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC448D2D37965AE2AC15A0A822BD140,SHA256=A64D56CF6E2C78C8A9A092F7A0350BE5A80948C6923F7256546C2D556C441898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.976{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9aa4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175730|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+16d7a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x80000000000000001046017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.961{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp\test"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001046016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710ECB0FE8A7B309F44B48BEADD608C7,SHA256=AA0AEDFF3B4AD6B69A50A498DBCE77D095D7AC77219FEA45206C74A334752F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.668{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.269{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000806147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.167{0C1E0330-F2DA-60EB-3F79-00000000D001}25401716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.152{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE343B69CA6CFD178758C15C92C8FD7,SHA256=BCAA75772CA53BBC9EDA09AD8CFECBF59BA04549FAC6DB24C79C6616E1734A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.973{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3BE271808CAEDCBEDA8807448EC297,SHA256=6F096B4BD2ED602C5B6D5DEC7B7E4A779C502E24294CCD61A36342A2FADD235D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.972{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584A2ECFD1AF641152B1951EDA786592,SHA256=0594C17B0D1896C2069894E5950507802787E693BBE9B69D1A39698A2EFA6674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.454{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F3FC626B4DAA96D37854091613E29,SHA256=E34BD2780BAEC370600D79212366E91285296CC2238FC07BC38BCC2BEC7F6ED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.495{0C1E0330-F2DC-60EB-4179-00000000D001}31602328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.294{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.167{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7ABFAC088C6698E301ADF3AE934307,SHA256=2BBE122EA4EC875A22B0D395BE0587BCFBC3E652E9DA3CEDEAC48E16ADF036FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.040{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.040{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.008{466BC892-F2DB-60EB-EE7C-00000000CF01}964316C:\Windows\system32\conhost.exe{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000806162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.011{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D529B2A86BA08519A538C5D65734B32,SHA256=D5E3C4A84615645C0624EB6A4C1B699A5AAC7716C9996C60B06C31DB2C5E25AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:21.647{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50913-false10.0.1.12-8000- 23542300x80000000000000001046044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:29.471{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC8A32F8FAF37AA0FD45887FA8C7968,SHA256=AF64CCDB938ADBBD9AB95EEA536BEE1C7F4666A3534FA33172504F9FF10DAE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:29.308{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1A610F09338202E4210FAE1F99D3C9D,SHA256=80048A7A525B617A5298476986E2F8442977AAD776669F016A22B5CE0E68CCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:29.167{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557339664F63238A788C2F34CC9A43AB,SHA256=D74D59594328B61D8E17E831B7ADCCE4699CA8ADFA28E9D7D340861130D65E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:30.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BBBB1F1B0FDA483698F370161BB5E8,SHA256=F2435A6F90E2EB4344E33C95BA74D8FBA7C5D4E92A211425682EAF849A5801A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806181Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:30.183{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AA3FC9C29A291BBC480616A6C9AD13,SHA256=D7E6261F7AE09C0C5A1FB5B39E55097E779D86E0D139D2F2A991AFF5D11A609F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:30.058{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3B7CC158AFC88E8D64C26BFDDC557317,SHA256=B238AF01554A0AA32F7F149EF9BE1550EB5FEAA37CC5A0F806BAE961D3B68C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:23.685{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-53565-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:31.505{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07669EC16CFD2265ABCF8593FB16BE,SHA256=7370DD8BEBD22B91143C6C9D9AD9E17F49461798945C4EA56CE510E531FE3D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806182Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:31.183{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571600400B6BB20ECF3E38403CF1C794,SHA256=02176A86186FE354444C4797375D752C489AA599E15329F4FD2E267EEEC44184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:32.519{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E147229D9714BD5B3B4735F1C5EA728A,SHA256=B1D746ABD42D9E16FEF3D97D0F8505546CC8DDA071F2487E153F7565D887C68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806183Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:32.261{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B755E30F06A91FC6A4AEF13FF3B1D80,SHA256=71684FD2423FE78295CB161D6CF3429DE09FA9046BB17A575E1FC5F652D2E3BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806185Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:32.237{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806184Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:33.308{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F932E03C56784567574DF17B1CF2022,SHA256=04D58DBB82A45FD67C5A62C9862BC3A20FB9FCEDB979E8285B3F18940E01B155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:33.759{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3BE271808CAEDCBEDA8807448EC297,SHA256=6F096B4BD2ED602C5B6D5DEC7B7E4A779C502E24294CCD61A36342A2FADD235D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:33.549{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ADDF6E1647160E03D43D259F57B245,SHA256=824E789D75FAE2096929C61241BBBF54BA149BD1822440E167C0FF1704A1B8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806186Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:34.344{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9872757ABA0EF8D92373EC5588133B2C,SHA256=04035345B67BBE87E4F63E46F62138FCBC590943D10DDB8D68B98DA18AC045C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:26.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50914-false10.0.1.12-8000- 23542300x80000000000000001046054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:34.550{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CCC9F40B92FD27A68E172441349089,SHA256=B9051F58300736044517B03BD499A1C3A53EA6243F58882CA2AD471C6C09EA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:34.134{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36293ADF60D97F3305FBC7893C4C418D,SHA256=6AADAF298C86C4A08FDEB75C17B60E913DD726AA7C35BA04F1ADDF92BA474E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:34.134{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=376E2F2378BD3C25F4241C4BF93CE2EC,SHA256=89DB06D16D7CEBFF7A26CE558C78137BB56FA2604700315988E58F274A498374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806187Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:35.359{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9253E8DEA2B55B0FB9CC5607B9F2985E,SHA256=95476BEA76CFE30333EFB08ABA5383A12B81FF3A32A1ED0CD126073C10AF030B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:35.569{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C694D796C9AF86F300337E77778590F,SHA256=F3E319E43076ED619A765C5E15740642D4BAAA5A376560109D196F10C6A05924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:36.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53712CAC9492D985BC222ADB51C002B0,SHA256=D9110B64D664C377C6A06C60F0B8058078D39149077980D945CDE3AB263A4661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806188Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:36.452{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FFF1A97EF6CD93B770DF72180BA32E,SHA256=0C393E453911F4355842B8EA916A1E85D0EEF241E2FD36BF5959DE97C11C2956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:37.617{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C5F41832695F10518CCE68E894EB5,SHA256=AA063D6CB96F8CFB225D0A52BD35FAFFB9A219D1768112CDCAD765FC7D2F7A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806189Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:37.468{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E6D9A000BC37D6A5BB3F32495EFD5E,SHA256=7BE82D756E97242B69AF45C65FB80543E933E7DABBBE5F6D6D589F8A6463A010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806190Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:38.468{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A507C214CD6A93CCE196351981EA83E,SHA256=CA2B7DAC1DC31D3D7F9A0B4C4142BA8561061B7D02961DBBAF9EE543D9600D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:38.631{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B405558BAE5DDFC851689CC6B11A03B,SHA256=30F351135D106426EC2EB6467263909EF7FE903C1489A119511C168763B6EDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:38.450{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=271F2A7C9319C4B799BFF145C0E8187C,SHA256=8CCD0056855EABD470BBB082AA5F5861F7AF0A24125A82ECD6E5689865BA340A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:38.364{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exeC:\Temp\test\sil.bat2021-07-12 07:44:38.363 354300x8000000000000000806192Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:38.257{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806191Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:39.485{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA57B6724BC48E2720FDB3C0EAFFC62C,SHA256=F85419D8E4D7D3D4CADB42129F93E5136F02CD0DB3ED59ABB8111ADE1834E232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:39.646{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39C41204E1BEDCF742A599C6ABFD087,SHA256=B968433B161774310BB729766E419F5DFC45F9DE2892EE5C945021492BF12E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806193Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:40.545{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF99C8C270D3B9124DEF893037579DA3,SHA256=6BF0C205B6FAEBC593BAF51E88D7CC39DBD5F50187C0CF2F4268DADFBF6216F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:40.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8724DDD780D25116168850257EB8DBD1,SHA256=141910656E0C1B3B8FDAF5D1C1DCF434647B30831FA1D649B8F0BDD69AF11B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:41.682{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1345E112726DABE25A51E6E38DFBC2B5,SHA256=B07A2949B62E4E539194B9A630DE37AA2C25615FF648CC7A68B16AC4DA78AE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806194Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:41.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC899CF94D24F8640C95A7EC5A494203,SHA256=734DD18CA2CD57C49FB2B763FA068EB8E40F967CAF0BF23C04073D43F2011057,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:32.639{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50915-false10.0.1.12-8000- 23542300x80000000000000001046066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:42.781{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00023F87DCDA4678C0829B4214163563,SHA256=C67B4D23F38CF444FB04224AA1E9C3F1A917F12A2C0D085C8E6A2EFFC4789B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806195Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:42.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648244FFD40B8B91E66CA7CDEB5826DF,SHA256=A6C3324A808BB83D2FFA11095C162E461FED0F8560B550EEEFEA612E677FAB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806196Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:43.578{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261DEA4EBCE45B03C1D6A99FE00E172A,SHA256=B5BD02FDD26EF01E278CA40A94E7A767A7BBC95FD537F42CC15B188D46215DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:43.782{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1383365A59908EE395C1C2BA04EB72F5,SHA256=2596F87408C6EE2D9AD21D3AD62A3D2D4579AA9C2B7EC2E00BFC0CF1E6F34B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806197Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:44.578{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF4FC0B99440D823F3E5E2FD1007DC6,SHA256=D373DB0D6C0854EC230F81D21B98FCFA565E14EE9632E54AE776E2EDEC423E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:44.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19128E7E22B9C856FE12DB150F3567ED,SHA256=BF13495AC01EE61A08C6B65A8922B2F73963A3FB0D07C5435422C12DEFA9DE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.812{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77957A429339DAE46B094E0B314CD07,SHA256=34567E17AC4C2B16387DAE0D043C4AE17E5C407E2CE2557F10D3405BA4FCD7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806198Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:45.610{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC7230804BF7BF98B0680C3CF86BD92,SHA256=3E47B320301AD78A5A010E6488BC5094D3D7803C4A121BDD22A12995C58985C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.365{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.364{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.364{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F2ED-60EB-EF7C-00000000CF01}8308C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F2ED-60EB-EF7C-00000000CF01}8308C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001046069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.104{466BC892-F2ED-60EB-EF7C-00000000CF01}8308C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\test\sil.bat"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001046087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:46.826{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A712377678413825FCEDF78DE23755BD,SHA256=9FA53FFF7D8655EC511EDC3DA67737D04F568BAFDF3EA5BABA8F522BF25CEC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806200Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:44.258{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806199Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:46.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8424C5AAA6D187615A9178FDB0D9949C,SHA256=FEB4EED2E5C2BA2362600A1F09983D01BA2FF8E8DA33FD40B6EF8B7719CDAD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:46.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C243F000BF643C33E1459C657CBF1B,SHA256=AAD7E5DA174707331F974733AE42127FF78084DEC6B668978CE9A4C40A1A966A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:46.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B698DD59E61EE1355A552D965121923,SHA256=200230CE5CB5CA47EFD61EFCE2B4A688FE1CA334B6D73CB13374A388BBB4D808,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:37.766{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50916-false10.0.1.12-8000- 23542300x80000000000000001046088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:47.827{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE0D65673CCD1A917E8F4AC4ADE0CFF,SHA256=BE35A391DE3D43D3A3FBCAC6C5F329A389F1EF68579F5EC09525289AE67CAE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806201Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:47.703{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD4C99441BD81C57DF88667C3F85FEA,SHA256=FA21B87B2197C225B686922617EBC0878059B0F00F1DAC841CCD9C7C2C2AEBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:48.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40D68352189240F2C1474C98907A46F,SHA256=D9F1237EAE9850398CA71C6CA2AA9891B0B8BC1199445CC6501F8CF5ECF8FB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806202Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:48.735{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27DC4B96876D6E83CB5A5F5BCAD8FBB,SHA256=17C69028908905CF20123D7109291815D99F641A41F6A9925895545AD3CCE3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:49.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1EE105141B04C880B1EB63436707CA,SHA256=8516F14431D45D02A2412FACF16E41BD6ABEEC13AB03E172ECDF8AD5175018D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806203Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:49.828{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203BB9818FEC45559421A34AABAA88E3,SHA256=A4F051449247BA1638ACE5EE8FB907DF044E56C1EF4CCE00FA15C726CB417E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:41.323{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-53160-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:49.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C243F000BF643C33E1459C657CBF1B,SHA256=AAD7E5DA174707331F974733AE42127FF78084DEC6B668978CE9A4C40A1A966A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9EB49C75079C164378F6BDAF1DD85B,SHA256=ADB83EBAA3A83CDD18BB363A16A5EFC398F0F358C877DD96D976DF8421E3763E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806205Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:49.383{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806204Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:50.828{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C737178379CA74F22499C5A9C1C875B,SHA256=EB93B0BE6B3F965957BE92265F850FC4F9E3803DA6860F052EB8168053E86244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.856{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.409{466BC892-F2F2-60EB-F07C-00000000CF01}90007968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.193{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.193{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.193{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.179{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806206Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:51.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F2E34DB5325F8C525DA93F028B940F,SHA256=71C3C88AA33F27EDB3348DAC17861766F43B07BE7ED1DCE12BE1595733970C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2F4A4F2E882B76C51B4AF49E12BB40,SHA256=6EC0A6CA18AE60BC968F20DEFF1AAA102B7C6A16D55F1DF611E769AE62B80997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.762{466BC892-F2F3-60EB-F27C-00000000CF01}16165516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.524{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.224{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0154156110DF4FDE220E8189267E7D7E,SHA256=774611E52C2093D3F3B317BD24633E332D1B7EEFDD8CBE00BCCE2EADAE1AC586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806207Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:52.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCB31A0BFC08DD4433B3049F683FD36,SHA256=22DDCCE759D020A8FD18F3C8F55B1063371FA97F24755857E991275709B78CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.939{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7CC0BED66E5CE94869B3BF183C7D7154,SHA256=F772E409BF98F2EA72E1FA6BB7E10E7F81808EE87EA9784BA21B882533481481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.939{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C1E7FA8A01BF47C458B284524729021A,SHA256=55103CCAB1EF2BE5AFBB1B571ACD9FD7EBD5BB27489CB4BAA02ED868AD5EC243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF95448B20677C31CB50791B6C85FDE1,SHA256=B8711BF73122F6948B589DBF3080625909B0B2135988175232D6E1F341B397CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A60B05F15A1B6351C95A38D9AFF2D911,SHA256=4BF692EBEE26B5B357941B814B0494FFA71AD5B227999CF1E99E5845B1BEF3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=584A77D2639841CCACC09C35E39D8AB2,SHA256=B72DCA7CC3DE676271911B7183D89C8CD9E035930732DF7256CA496B265476D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=17AC8551F007758C5CF8E818FB5E8687,SHA256=C2B62B3DD6764497D5D4DCDA9171BE34B1F215B7314591C015CC58DF60B06B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D474F9325FC4A137D26A11F296AEF2E,SHA256=1F1E15EDA6F88EAFC0DF828D1DC1C8D4872A00F23E85868C750D23737F208A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=052FC0DD94EA7C6D6EA32398D83B9607,SHA256=524DB6EB8009D1B66E53C27AF7C2446E58E17CD1E0C92EEA14E306C01B01267A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=54BB465867E2C818AF5473633E84F4B0,SHA256=67B8E8FAC23A34ABB30DE94279CF93D6905532D2FE0F45161671C6E9AD470BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1090195F3B89EB0F49D9C560B06EEA18,SHA256=FCD670367CA6225CD415B5FE8F6E4F1BD6F395FF73885EAB11AAFC8A35856885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D2B4437A625B6F62A9F5B2DFC692D43A,SHA256=75DDAEB182556202C33FF89480E15352525B012141B956C408AFEF2E92006F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AF1671290254A5FAFF105D990E817918,SHA256=B8D8AD6304CE81B86B0D8D65405EDD05572DF757B498E965194871570957EEC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.877{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.877{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.877{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.878{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.524{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755D57FCC081D35F10F6FF60CEDAC583,SHA256=63C305B4D5C88FBA5229DAE8C70AFE55AAEB59CA4A6D67308537FE86F64256FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.393{466BC892-F2F4-60EB-F37C-00000000CF01}53369992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:43.764{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50917-false10.0.1.12-8000- 10341000x80000000000000001046129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.224{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.209{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806208Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:53.847{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2AF9720C678510035BCCA1EBBBE2BC,SHA256=73ACCC683DD3EB0E1DBA637273C4378B14905269524F942BD4471A3DD6138C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.939{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C263258AD4C1CE24480C9BC4BE240B46,SHA256=26F541555C833BE291874AB7A07D1BDB58D06FAF0F982A80BFC5E3777ACF2118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.892{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350659B954C4449CB5A3D0DB0CE561D2,SHA256=0298F3A77CF4D297F6AD7FBAC2977097DFA1E0C3D57223E95FBDCB9945387FF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.776{466BC892-F2F5-60EB-F57C-00000000CF01}94889796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.555{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.959{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D980FD163D8209F612DC47A10F0DBE70,SHA256=3EC5881CE21065DBC0BFA6805292FF4F518723B0DA5D29EAF0658147A09FDE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806209Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:54.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CF9F9634744130189BA1C490799B15,SHA256=7137F2951BF2275B8579217324CDC3F6E1EE58991DEEF8E53A52ACC7099EF124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.157{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.154{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.154{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.140{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:55.994{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988D3A2A1AD919FD8E8690CEEB88D574,SHA256=BBC87586CEC04E91C3C33C80C63930000D6FB34D1F9FE3328A1E3271E407355B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806210Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:55.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94496384448391F508E8AC3D9554357,SHA256=5434888DEFFC6E42042B20E264B48FCA7015930C934835712DF5CDAB67C5CBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:55.679{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=5818DFC3E741738A4797EE89ADFAD3C5,SHA256=C1C0F897AE1D91C2DF2FC9343770B9115FB7B4FECFD21E70EFFB208A888EB973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:55.156{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD34199EAF392EEF26A198838FBE6E7C,SHA256=B24A6418C8EBEFBF7975CCB5E8FC13E333C3B048C29BABF6817C69FB65F3C2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806211Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:56.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A89C9A7C3FA82C293DBD2B21BB7D1EB,SHA256=462A333181DD393F60015773F072A41E5C93B01C37CE5B94C316B6E4E7066D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:56.760{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806213Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:57.878{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9136C8ACA135A79E185A936D39BBAD0,SHA256=A72272A3A1D1864400A044CB9ADCDDC453351A9AF6434B0E5266BA97EB1983E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806212Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:55.386{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:48.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50918-false10.0.1.12-8000- 23542300x80000000000000001046177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:57.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9BCB01C891F08FEC2918E0C0FB84B0,SHA256=A5AC309E3B9E127F4641D337356803AA5F819ECC1B6EB00C0AB5A31294E3F302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806214Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:58.894{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63589965E53EFCE17A61FA88150C8D55,SHA256=CC7C707506E8F33C0C68554BB372C7BB6E7E27469294BD5C2A0012EFA3A97415,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.296{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50919-false10.0.1.12-8089- 23542300x80000000000000001046180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:58.059{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf629e70.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:58.057{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C326EFC62382E1B23315BCCCCD9FAF,SHA256=631E1760D1603CD914F06DAC179F52EBEB9EDF7186976C9A11CC0905F53BEAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806215Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:59.894{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF1B4FAFA893EB9A3AD9D030278838B,SHA256=E9694D26E0A4C26E45DDA50D89BE7FEF4EE84C462B590177BF7D4EFF11981572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:59.091{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B6486F0E3E5CFBCE9DACDF33ED65D7,SHA256=DC3DEB10E03AB27738D03891781A94FEC679244B108C901CE0C1C3F64F7A9BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806216Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:00.894{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC42BFE9BF98CD9ED261F11B6F9BE8B,SHA256=690AD87AB2FD3546B4204B2CDBF5B7FDFFE5CB8798B115D8A2D28CA715EAC0AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.757{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001046259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.756{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001046258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.754{466BC892-32D3-60E8-770B-00000000CF01}63562944C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.754{466BC892-32D3-60E8-770B-00000000CF01}63562944C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.736{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF0ED6F82C65D884D9E6A6B28B92EC0,SHA256=9936637E33257E7EC2AB88A8D68CE7CC5D234BB972B0DA99376C1CC1EB91C96A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183C5FD9B02178EAD5DC51D2253F1096,SHA256=E34E5DFD79E69C2E21F1DC8A8ED978B27E69EE735C42C9EFAA35276B90BBBC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001046250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001046249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001046248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001046247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.674{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.674{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.658{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.658{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.636{466BC892-32D3-60E8-770B-00000000CF01}63568748C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.636{466BC892-32D3-60E8-770B-00000000CF01}63568748C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001046187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001046186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf62a863.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+37578|C:\Windows\System32\TwinUI.dll+37498|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+10923d|C:\Windows\System32\TwinUI.dll+d20cf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+375e0|C:\Windows\System32\TwinUI.dll+37485|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+10923d|C:\Windows\System32\TwinUI.dll+d20cf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.121{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBFB9074519C33D8F16D48A26366CC2,SHA256=FF5045CF3E69093F9BB10AB81486F627170F99E2D9173A23FF32BFBC97C87D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806217Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:01.925{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1584B50C5B7851FA55E94825EBBDC8AE,SHA256=AB5FFA1E87259C6C1546CC7F0EE1755AE0663535C50F60C19ED39015417CBF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:01.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFAAA1CBCADD6211DA9103BF23B82D6,SHA256=61EF907CA0B93B51AED1EFC8ECFFAC954C5D5BE6AD071499773BC919CE35F11D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806218Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:02.941{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0478E60A576C90A31AD4A0EFA935C4,SHA256=1336F4D19949604C7CF75073774AE596907067CF7A23B847E994E5408F3BCFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.689{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\sil.bat@2021-07-12_074455MD5=71FF16ED78441729EC535AC06F91AFCA,SHA256=2F989756F7E17CF8E3D535EDED7B3FB532D41CDA7A547D69E3D2193901BECCAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.659{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50920-false10.0.1.12-8000- 10341000x80000000000000001046293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001046277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x80000000000000001046276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.158{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A06827D18DBADE228B25200C673BEEE,SHA256=8366AAC553E880849E49D96BF0736AEB3967CE35C7AD2799BF84DDAEFE44FE94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.072{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.072{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63568252C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63568252C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806220Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:03.972{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208A288F3CCD46DC2F8EA9815E4A3889,SHA256=DCD273E3DDD33EC1A3D72CB72052B21CEEB9AA089AEAA54A8718CB4AD255FAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.953{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC82FC1B3C1FA12D32A42E117E6F6ADF,SHA256=18038DE0A0D5A962C79837110964E279CC364352CDAE1BA152C0AE3A400141BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000806219Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:01.308{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001046345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.188{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A3C8593E82D29664F3787259A9DA27,SHA256=F250575B6866B786E7DD17850DB3F289C3029507664B5C95959DA0BCD7BA59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806221Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:04.972{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70523A397E49FBE0F104DC9D88633F0B,SHA256=624BDBC95E2605F55EFCB549906BA7E0C0567FF6D99A39661469D959C523BFF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:04.754{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C81478DF0D8F416C51AE3ED34C2D1A,SHA256=421832B6BD625ACE8673263D4FC1AA1D22A8E7FD2EE1EE9D7EC0534D47C939F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:04.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE20666FB96508EBED0BE6DE0EBDEB36,SHA256=A888477990D04CA54E85EB7406D2476F4F2242923DD89AA26B544C760C685207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:04.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1F466A2571EFDEF895492EC62D18FB,SHA256=4AF5D718CB99C382D508F66626AC298AEC9D5F42906B1B259553DDF304E46305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806222Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:05.972{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64A7F2C0158B59B8F3C915C7BF470C9,SHA256=07774EB211BC7B768D5F593B2795241875E8F1D48F4E35A46094EE327F4B31BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:05.219{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72DA320E01B870542450ECC0D138F96,SHA256=DF58F477DD82E20A35FEDBD8DF12449B29E4F846F0FD3AF89CD72F9F0CEA5BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806223Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:06.987{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CF44981452B1AD0BD78BD4D8F07291,SHA256=32CCF55162CC8236EB745EC1DA26AC2737286FEDD34CAF2DE6B61117B248FFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.619{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\sil.bat@2021-07-12_074455MD5=42C6E3878971CD6C021BE6EC19E67ECE,SHA256=371CF11D7C4C74777B864345F740C71BCFA824D7DEF1E0114EBB6F5F6C86C609,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.619{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sil.bat2021-07-12 07:44:38.363 23542300x80000000000000001046365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.619{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sil.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.254{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1E46714E1A4C25A1A2D43747343CD3,SHA256=46280B27FE1154D05100167778FBFFE7D2EF2BA1CAEB7D1DFA401CFE38D78E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.134{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.087{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5CC7-60E8-0D11-00000000CF01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001046361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.087{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5CC7-60E8-0D11-00000000CF01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001046360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:45:06.087{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7760.375.29551504C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001046359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:45:06.087{466BC892-5CC7-60E8-0D11-00000000CF01}7760\chrome.7760.375.29551504C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806224Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:07.987{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484CA919A5FC2644C90BC471D7A35938,SHA256=8AAE2581CFB035B65812CF8399C79F60FA6146B62417AEC560E1361BC59626A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001046368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29336B42665E1812828449BD0979D3F,SHA256=542FD4C1872F07AC4BC31A4F4BD608191537862695CBA1495D7EBFB249A89F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.642{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50921-false10.0.1.12-8000- 23542300x80000000000000001046384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:08.318{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D7CA1200FC003969BE65994AA8D231,SHA256=C1383546989AC07ED4DC9D31A75A836CD3BFA81E2F2E08064FECCFF2D8336B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806225Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:06.355{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:09.333{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF2A256E46592DFFB7CCA5A7631C0EB,SHA256=B7EA9060D211F55449D2F16B07FE2E2702CE91F4D87A31FBFE8ED34A669C13AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806226Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:09.003{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7981E6BA38121A9C1E6E902575E58E77,SHA256=39162DA94E4F07B33616B36DB3E9EF0F1876E148D929B1B48DBA2B6E485ACB47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.893{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57167-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001046387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:10.370{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298DB3679A3B812BD96857325E8AE00C,SHA256=A6604A3ABD43926E16220E8B87C953E4A3EEE66A7C590E4BCABFDA9F200CDF4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806230Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:08.890{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-46236-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806229Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:10.347{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70816EC04134BACD210F87C78F0C3F93,SHA256=FEF34BDDBCE61CE239ACB94E890490879BC9DFFA8D76F4B994A6857AE0154EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806228Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:10.347{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F213CBCE119AC69B3470BE29E0C587,SHA256=6824BF9946B23ABEAC7534CC5F03A9F3956443CA35B4592C9AAD376231DC792D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806227Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:10.034{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C8AF27DD74190DA8C31CE192FBA569,SHA256=D7B36D2BC54D3AE354D8C45A5570CB461E23B1B1F098ACA00BA705A23D860919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:11.684{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:11.384{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA13D544DB8629083473229D7527018,SHA256=5B8EC953DAC27111379006AA352A4232D2D19B575160E3299DDEE99870C7192A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806231Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:11.066{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527A28A3877FCD926EDAECD1182151B1,SHA256=0E8642461327F68CED13D25BAC231A3B25D4FC2D1726DFF770BB57580103E59E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:45:12.916{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\malware.exe2021-07-12 07:45:12.916 10341000x80000000000000001046396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.870{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001046395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.570{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\AlternateServices.txt2021-07-09 11:40:00.511 23542300x80000000000000001046394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.570{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\AlternateServices.txtMD5=437681975C3154D45D5D95B61D2F5B99,SHA256=491A570342F793C22823F7D5CD092CB3170E2F384187819DE7EADCC376CFCF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.386{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF8DDB0EE5E5FFA08D6F806C9C51305,SHA256=6EFD5766CFB26539EA99534E2DAA93C9F888B8D85C5C58E4DD444C996B6EAA7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806233Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:09.491{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57167-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806232Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:12.097{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514A3884F1682A2D7C396C7B29B44648,SHA256=8EC19E7E881C53F029CD5B94BD960C1E69976D61D1EE0A61392A2E8592835DB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.370{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001046391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.370{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=3E83EA0CB81B0B5FD20ABC9E0CBCDA53,SHA256=A0F05C51D45AE2D1CB3C3DAE7356534862F725095A3C2D51E89E8EADED34DE92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:05.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50922-false10.0.1.12-8000- 23542300x80000000000000001046398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:13.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723F1453F398B2CC3E575AE1FEA32C99,SHA256=9DF4272E14B2EC9C33B24EF1B4B3031EF55C9AA7FA320D7C8217EF6C5B8504A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806234Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:13.159{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A969951358CDF7A8AF3488BDC72BBBCE,SHA256=B339CDB010EBA11F92D8F2C13A87B0B36E21645C89E08978222669AEF51B1F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:14.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B9421C53EBE064ABB261007FB2935,SHA256=CD3B76D75CBE8C8767896B0860CF1519F88A57D68C16557326BDBF922C991473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806236Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:12.308{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806235Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:14.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2F140DB0B6D9548A471A44D52F33F0,SHA256=23FB5AD4DAE2B7FB73A055DFAB056114562A78F1791A67552D1B5E94515BAEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.887{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50923-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001046404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.887{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50923-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001046403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:15.415{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB59CB561D812F324543AA37D7AE18F2,SHA256=7A8F97C3D4F5B2E09080F3FD9D890F07A5E761990E350B1A550C17941AF24F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806237Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:15.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15816816388C2A9238773041885BC7DB,SHA256=F9306988C5849C831E61579EDEA681A4FCB5DF9BDA4D1C7955D823CFD50FBDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:15.351{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D162B1B36F3E948E03DAC4626BB667C,SHA256=60404DCCE3D6AF264081902350106F86CCD4830CE6DBAA923B2B86BFE6A54A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:15.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C81478DF0D8F416C51AE3ED34C2D1A,SHA256=421832B6BD625ACE8673263D4FC1AA1D22A8E7FD2EE1EE9D7EC0534D47C939F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:16.429{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5C0ADDF6C986333624A23623281F2E,SHA256=CA9B833F600C480CB243C738C323C96831A12CD9CC9C4F769BBF68A06CFB5989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806238Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:16.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CFBD925751B43C6CD37985BC2A4B18,SHA256=4B4764F7C8DA6CC49628B9A213B563FA4D6394A0D20BF8EB1D7DD3E775069DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:17.466{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE571EF201FC5EC2DE936A02CFAA0DA,SHA256=F736D3146A4CAA129D751260ED0C6EB60806F180EB813B248AF3212CFB6D8048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806239Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:17.188{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64BE4EB9F3C3E83200B8C68CDA20CBB,SHA256=54EF00A8E3A1D45FC90789CF0C4F6CCC2E976C3AB7277447DB4C0691BAFA0B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:10.783{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50924-false10.0.1.12-8000- 10341000x80000000000000001046416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07842C865AE455439593DFC88E82FC0A,SHA256=01C23E0F290EE3C729910EB3617056B22DCFD3FEA8CC77AF0B5E302F8F14CA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806241Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:17.352{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806240Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:18.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE85434C526364DAF8EF89ACE9E19ED0,SHA256=BE8A1B20CFAD0EAA3C6E0C72EDE1341856322558614F22379E6D3BCBAC9CFEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.165{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:19.496{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D60DF9D71D6CD49730C72EFF73952A,SHA256=2CFFFE6E446DB2E5EF49EBE92772D4004B1B1D5A259B38469D20AA96A0549928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806242Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:19.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFB1C7DDB6DAF4D42C3E63670F5EFC7,SHA256=58C678E8507785DB1F6A0FC871CE7A91AF6479424BF1893D061A86D65AE0DAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:20.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2852E47CF15CA79437DE9EC883312403,SHA256=D6AE6FB3F997E57B735D207EEDFA9C9C89BB9370696630141E48B1F3765A023C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806244Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:20.344{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806243Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:20.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0A405F8AEF00841DD79613E78811D6,SHA256=E084B227EF9EFA159515EA31488D66FD033AE7617B7287E8CD4FAE11487D230C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:21.525{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8589A24C57EE2710C274DA9B7F499228,SHA256=A2A339A528D2787835742CE87A4F8A43F73E706A89B0766EFCEC33818E215E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806245Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:21.297{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB417631B2095ADFB0485FAE5C85CFDB,SHA256=BC9F0410D3FDACE6AB0D397A0F98DEB876A45D8A18E7B323762AAF071518C28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:22.561{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF809805748DC87909E3C1B2CE65A72C,SHA256=16333A0030876BEC3C0B8A66F6F6389EEC7659F9C17FE220BF16DC49AFB3432C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806247Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:22.328{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C19F45DACBF12B45AFEF6783DE67656,SHA256=95C933F2ABE7445B38DE7B87A28727C8696A6246EA1CD4EDB063C62E88B661F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806246Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:20.477{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001046422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:23.591{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985ADFB7EAC16280E3E9B43532EA8149,SHA256=499EA559E3FA6BFE8378FFAA3A2F41AB0906C1EDB3506896853EF2DE79686954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806248Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:23.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2C9B0BC2A96B0B6EB078BC2D972DAB,SHA256=55B4A5FF4CC4EF433F6BE013AF61B0F39B4716C25CF12E299B3DBE6208305168,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:16.715{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50925-false10.0.1.12-8000- 23542300x80000000000000001046423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:24.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6D2F23F5A431663A72DC582B2B83D5,SHA256=39871D7BB21C7780DFBC555443F8292AAA05FCCD4399D5BBDEDA093DABE2E868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806275Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806274Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806273Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806272Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806271Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806270Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806269Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806268Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806267Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806266Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806265Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806264Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806263Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.767{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806262Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB3BD49C72131FB82AA54B5E2139646,SHA256=6C358A688465CD581782880AB29B6D9FC9E4E7F153A137D296D8A30BE69E02D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806261Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806260Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806259Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806258Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806257Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806256Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806255Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806254Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806253Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806252Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806251Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806250Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806249Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.220{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:25.621{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481C3EF4A23F91119FA7676384D4C03E,SHA256=104D0322832975DC76496D1454B72DF7D475DFE423B45B976A50762D382E38EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806293Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.547{0C1E0330-F315-60EB-4479-00000000D001}23601304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806292Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D996259B1A57BBAEE42E1EB3A982741,SHA256=FF323D5B820135369061379DB0D0879D3D67D7BB9B0AB80A4D1F0C60F1D420B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806291Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806290Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806289Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806288Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806287Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806286Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806285Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806284Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806283Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806282Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806281Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806280Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806279Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.392{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:25.190{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3F35EF069FB77408A9EE78E38B102F35,SHA256=A5952A37F794CDFAA735B243FE5C1A70435E1DF43CECAB41B8885DA93779C7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806278Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11B2D9C207525A814897619BB31A818C,SHA256=3441B5C0D63EAC883D58D9D9216976FBE9123CB474B1F472F0CDB91D01885105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806277Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70816EC04134BACD210F87C78F0C3F93,SHA256=FEF34BDDBCE61CE239ACB94E890490879BC9DFFA8D76F4B994A6857AE0154EA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806276Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:23.305{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:26.689{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7B821F7B86B02A2294FFD052FBFDBC3,SHA256=832CCEF440B3984659C13C213530C7435390440388F20ABF8B3083FB75DCFD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:26.689{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D162B1B36F3E948E03DAC4626BB667C,SHA256=60404DCCE3D6AF264081902350106F86CCD4830CE6DBAA923B2B86BFE6A54A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:26.638{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9404E821E214EE6C10B29873DC72C7D,SHA256=13DF40F45308E5303A75EE6932A8CA8C5BB02A7370903A5E66CF09E2CE14C16E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806322Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.922{0C1E0330-F316-60EB-4679-00000000D001}32402908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806321Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806320Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806319Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806318Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806317Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806316Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806315Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806314Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806313Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806312Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806311Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806310Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806309Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.766{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806308Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.563{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB02FB1D514CE585F52B9BAAE63FA9E4,SHA256=F43D29C1AD2C147AB0ED23A7F1FE79530658108B9C54CDF2651A280C8B0BE1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806307Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.422{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11B2D9C207525A814897619BB31A818C,SHA256=3441B5C0D63EAC883D58D9D9216976FBE9123CB474B1F472F0CDB91D01885105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806306Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806305Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806304Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806303Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806302Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806301Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806300Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806299Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806298Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806297Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806296Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806295Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.078{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806294Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.079{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806338Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F426DDD80233EB962B8826DC9EA0BEC,SHA256=D60600A945B95613AF60217D71BF670188CAC048FA44ADE622035C9331A882E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806337Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.750{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6CC13515D7CFC0BEE9ADB69FE014E6,SHA256=D11E0BA9517065C34953DE9A1D8EC4A59A65510CBC80CDD2188A212C605F8BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.827{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com65086-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208840A43ED3BF431EBB2B572F3E2A95,SHA256=634A225C298B0A5984E4D894FCD11EE4538FD77D2DBE936B1656420AFD651380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2FF8BB4A1A61333868B3A75118DD4585,SHA256=97578FA21030049103916DD8F8817B5AF794F784CE0712F1B0900A48039D7288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=306F0525FE52CEFE24EAD0676B2DB3A7,SHA256=0E4C5A50AA7FA642503541479CF69A87D4BA1EB20C364FB59AF8CB4F8D14FD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FBAB33A5A60F9A8B7E614AECF2EC34EB,SHA256=8CD9AAC3FB6D9F41C0FA8B82ED69139095965FAC31F99264C0B508E64C305EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9BE230CECFF8053831A08D4726F265F5,SHA256=94F041A46BE2C6281C6F4D2A736EA5358A58E039322D8411FC17F0A5779B4436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5218A5C0B76F586D3687B4A5B1EA5587,SHA256=BE7D97934E9626C49E3AC975DB657D728E5F70F906F2B61881455FABA00949E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EC8C25189B76BF4C511D061B2674E10A,SHA256=8819DAD3118DD5F43410EA316978E12BE192BFAE74D9175F79CD66925CE9D99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B1DA4009F5C646AF012D2F51A48DC314,SHA256=9B297D9F5EBB385AB7198B69FC54B51770E58D14196C574E73DF6368FF59A07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C172711955A939D8698F7A0651A1E309,SHA256=536999849FCD81DE214D32B21250586D7C9AC423871C095176ED64C0D9B74B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.139{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=523B0AD66793AEB8D4BC4DB231E113B9,SHA256=0C4ADA9E445E0FE62D06D208A711E7E6A5E1FBAC6EDA7665580A7B51BAAFB806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.138{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1C5DFFEB79D9A94EC4A45E52E4DDBD65,SHA256=90529B00EC6FE84B9318BE1369B57287C4EA1427B4E45EA7A495B41C0F4F86CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.137{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FAFEEF8726B565B1E6A5D72A7F9C9957,SHA256=CA9DC6E4640C14EA939E582B701D1149849715BEDD591F52CD793DEAF97AE0FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806336Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.610{0C1E0330-F317-60EB-4779-00000000D001}10001668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806335Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806334Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806333Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806332Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806331Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806330Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806329Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806328Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806327Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806326Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806325Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.453{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806324Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.453{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806323Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.454{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806353Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A51A2C55BDE9D850C8A0AA9019E7B1D,SHA256=B3D9535AD7AFA73281224170E6851B3CFDB1D645526B9F1443876C4FD52A464D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:28.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65AEEB4EFB56FB1B931BCAE2021DC06,SHA256=8F7D97212ED5738ABE139F9D5DDA1727560026EFB8C73B84FC756568DCF883AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806352Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.281{0C1E0330-F318-60EB-4879-00000000D001}39962064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806351Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806350Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806349Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806348Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806347Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806346Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806345Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806344Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806343Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806342Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806341Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806340Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.141{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806339Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.141{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806355Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:29.875{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5BB7FBFB77472C085ADA4C1E5C4696,SHA256=9F075BA133861FFBF38FA4B69545623826652D2E25F06D2BAB2DA788F63E6A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:29.687{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F864CDCD945534D728D2C815FE215491,SHA256=F70B46B0A31F83ADAB3358DF5E3C8789025BB1BAE576B072C01C12A27E74B791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806354Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:29.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D94479E8E86C6669EABD7C00137283,SHA256=9DAD589CE577BFA57779AF798250A72D5B66F7319893DE976F54CA10CF693ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806358Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:30.891{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6345F0F5A31D2346FB9E1635C68E0DC4,SHA256=CC6E716C9D325742746672A38873C15FD82E901680148D3D586AF94655865C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:22.592{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50926-false10.0.1.12-8000- 23542300x80000000000000001046445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:30.702{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6019046E462A3C0A8C2E29E7CD701248,SHA256=915F54774406F819FF728AD77C3597595AB3081D92767F3979CF7954E2456714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806357Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:29.227{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806356Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:30.063{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C3568F37FFE31110A9AC50D5A8457E98,SHA256=9016F3688A7DE7FAC171E59D6A78D45DFB9B2A7C7A042246E86526B72E81040A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806359Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:31.922{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2B186C27533F9B9B00BA5453746B04,SHA256=8B7C3EC26A63F808A73B9599911181ABC12853AD787C6D2D386541CBD42E2DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:31.717{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4896EE401210F33F5D1FBD37DDAE46A3,SHA256=D689FE1406D2CF3D719B4E7A78609CE883DCC5FD2E2D3FBF104497C9C6CB2AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806360Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:32.953{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A7FBE79CDE803EF0C48771CE9069A5,SHA256=A816989E36B0DF929CF11D2105FFE2D440495CF324908A73E2DB8862CA329A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.720{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6867BEE9E8E4BC0966F03687D9E1601E,SHA256=58A9FFD46AE7B1B330D78DF4F4F01D02CBE745AF6AC7379AF7F90BCDE14DED5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806361Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:33.957{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B990913CDAE356203AD1A024839CA40,SHA256=0D2090AF6E38224D0CB2FD8B939888076553767E95C6AB974ED29378CD0F20C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.771{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3557984796DCE25EA2FD01EF42408D19,SHA256=6F47C18854A33DEFA18BC157EF0B80994F03624FC6EF18DB6A0EF9C63E12FC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.771{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7B821F7B86B02A2294FFD052FBFDBC3,SHA256=832CCEF440B3984659C13C213530C7435390440388F20ABF8B3083FB75DCFD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.732{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB73B33A15C03C97A36812351B3C3BB6,SHA256=6433533E01EC193CAA7F276A62AFFB4153A9CDDE25E9A3FD8F9C1AC3EDCA537B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806362Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:34.957{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C61E63A08A99F005038F08726138238,SHA256=ED6E373DB3B23016D20DCF9B2F2AE134ECA73531D1AE0B45CC0D220FC31B395E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:34.739{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EFA884A2ADEB917C55023341B981C6,SHA256=4CD9BDC1BDDDA22A68572C030FF5468BE648178D05E1CC6680477DE4AC9E6593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806363Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:35.973{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F245DA06DDD20B8C168770C5969A08EA,SHA256=8FB8ACC2D226CA53E2131D9CAFDAFB18CDC612287792210ED861D1681B83F965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:35.741{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADFA8CC6D29A96239F2267AABD2E6ED,SHA256=5E8D85B66172A652BF28A1614272DADEEF863E68012B2C7F599D04F7F05AF712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806365Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:36.973{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7024509B03FDD96FF17D7B3F73DD9E61,SHA256=F526321B70ABFB8D5A1DC11BDA1DAB515F8FB1973B727AC123F1F8A63751346D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:36.760{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2C2133FFB6C293537C1BE6DEA3B9E3,SHA256=6B2F0B329DD9B1F6AC389DD62D4D45E217AD6289993EB8446D7FAB9049518BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806364Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:35.231{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.772{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50927-false10.0.1.12-8000- 23542300x80000000000000001046458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:37.774{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8A3F3A1D60D8B796C5C14345506A5A,SHA256=C4379CE0BE5391972754D17065DE3D2502E73355BC1C7E842620FFE1ECFDB569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:37.743{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=27B91AA96770D85683AD75B32A91DE62,SHA256=CD9F0543256167E7A22EE22AC6A5B818D67A697AFB2DB34F328505503497B292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:37.659{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3557984796DCE25EA2FD01EF42408D19,SHA256=6F47C18854A33DEFA18BC157EF0B80994F03624FC6EF18DB6A0EF9C63E12FC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF725C081D64FFA748542F83056A132,SHA256=D2EA28EEB09238293FEE4584C3CAA8DFD8C9D9A3E27ECA425FBBFBDCA29723CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:29.959{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-52160-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8C49A67B6165D69DD2FAE37A7561FC,SHA256=64E473B66851AB54FE6E8E999942D8576729B06456C497B151B71CF464D8AD09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 23542300x8000000000000000806366Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:38.020{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2253FBBC6832A5FEF3F9B7526A9321BB,SHA256=628C0A32B68F1A1A7E183B52443C57C584564AA75CA41773688F72719BD66BE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.739{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001046474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.739{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001046473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.738{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8 10341000x80000000000000001046472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.738{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001046470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001046469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.658{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x80000000000000001046466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x80000000000000001046463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e 10341000x80000000000000001046462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.474{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+c5d7a|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2589|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686|C:\Program Files\Notepad++\notepad++.exe+1f2c8a|C:\Program Files\Notepad++\notepad++.exe+1e001c|C:\Program Files\Notepad++\notepad++.exe+1e3f1b|C:\Program Files\Notepad++\notepad++.exe+1defd1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 10341000x80000000000000001046461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.474{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d68|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2589|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686|C:\Program Files\Notepad++\notepad++.exe+1f2c8a|C:\Program Files\Notepad++\notepad++.exe+1e001c|C:\Program Files\Notepad++\notepad++.exe+1e3f1b|C:\Program Files\Notepad++\notepad++.exe+1defd1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x80000000000000001046460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.474{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d68|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2589|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686|C:\Program Files\Notepad++\notepad++.exe+1f2c8a|C:\Program Files\Notepad++\notepad++.exe+1e001c|C:\Program Files\Notepad++\notepad++.exe+1e3f1b|C:\Program Files\Notepad++\notepad++.exe+1defd1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 23542300x80000000000000001046459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.458{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BEF5780075A37A08085079D09E4D8F96,SHA256=708EFF44DD8417FEEE5FAF6AA9553038A7ECC3E9F14BC66A503FD0FAEDA1AB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.789{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AD3ABE04E0E52406EEE7217DA31D5B,SHA256=21DA6DD0E0E8F66406502095CED6E0F72BC4B0235463607E43EA18C7761E48A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806367Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:39.051{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E56C5C441B06DB05A87406ECDD8A79F,SHA256=C6C88F5FD7088439C12A768B2B6C143DED63A2341A4376EDBEEC7E4775AFF3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001046523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001046522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x80000000000000001046521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f 23542300x80000000000000001046531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:40.803{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E06CC378627DFD24846668A1E5B85A,SHA256=AC322519E52F5F281E9A64EC19F5CB38EBB42BF9843CBF7780370C97B66D8D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806368Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:40.053{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4D00F8E7640EFF11CE961E5B1BB679,SHA256=BBE12AEE72D73F330987AC1A6E295C6F8E9F5DD5CA415C936E1CD50D32A1AC9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.240{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50929-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001046529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.240{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50929-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001046528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.239{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50928-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001046527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.239{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50928-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001046532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:41.818{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AED93FB9566E12DED81DFDBB12507DA,SHA256=3E04773DCB04C4149664C1D63061FA913190136D8AE0CE771CD80EFB37ACAAF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806370Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:40.296{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806369Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:41.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95820C18C067AB2F8E699875BC7CBF3C,SHA256=8CA745B3A159CB9D7A706F58DB45B39EA789E07EE4BD15D4345FD2DF45E132A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.836{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6F177FCE6B56166E4A5424B781278C,SHA256=827704982673C96AB29FBA87C54D87F40CFBBC89E8BC22BBF3F0D28ABEEF2E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806371Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:42.099{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA9CA2C29974B01D8125402C7B839E3,SHA256=C9E2013B36FE1679772574681790C17F0742876FFC27DFD798BBE5EA757C6BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.539{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074537MD5=615C8F3EB8FC071E532A0252BEBCCC80,SHA256=CB8F4133557FB2EFB91D2A3DF7ECD71AD31D41E1F1B3F0C8BC7A996A68578352,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.517{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.bat2021-07-12 07:45:42.455 10341000x80000000000000001046537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.470{466BC892-32D3-60E8-770B-00000000CF01}63565464C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.470{466BC892-32D3-60E8-770B-00000000CF01}63565464C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.470{466BC892-32D3-60E8-770B-00000000CF01}63565464C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001046534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.455{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.bat2021-07-12 07:45:42.455 354300x80000000000000001046533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.711{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50930-false10.0.1.12-8000- 23542300x80000000000000001046545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.869{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648EF49334BDE26E8F7145BC2CF3C36A,SHA256=4E19C9EF27A2E3BBF844B4DA15F22D82940D9275C6D3D90FF2420B45DAE72ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806372Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:43.115{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B30AEC1887439C059DB7C88956EC75A,SHA256=AF364E7D9F6BB918EC908000E1C763A651AEDF33C435B773F73835A3307394A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC9D93D5FD6D082CB55C8826AB0AF84,SHA256=45E8F5F835C940D9E65CF94B094786EB923D4A56AF34FE9B77B5AFC8922F6321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27511018F65BD42D749DE47C5DF279E9,SHA256=766B4180F5E9E26BF3E63F7A95B7D65A4E1B597B09EA58647464C55703D834A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B3D5AE835858E906D1E72577C6F345D4,SHA256=81B9B52F606582EF0BAB76BDDEAC11B5A054E348BD2107479BC5BBEF4E1E03B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36293ADF60D97F3305FBC7893C4C418D,SHA256=6AADAF298C86C4A08FDEB75C17B60E913DD726AA7C35BA04F1ADDF92BA474E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:44.883{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF7D916ECCCFD05234EF2D93B388F86,SHA256=0174F1A544C63B99CAC4501D0007299CC5B111E44A490AAC2B9D5870F6E57BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806373Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:44.115{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D47E9E8C544CACC9B489F5A2FC392D1,SHA256=23F99903A05957766AD71CD1ED1AF83F2437D068B43E49B26B9965C803C8B2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:45.898{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB42A3D0EA6B56C1FD56EC76F926EC4C,SHA256=52AC6B4041EEAB68F74FEA5180CB15FFBCED75125D541CA272F54B851CAB3A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806374Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:45.193{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E052C05645F42007A8850B510CF2342,SHA256=9C915EBE460EE5BDEC140A8653CA101AD59575C6153997611EA679F68EDDCBAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:46.913{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94017F655C88E0FA40104018B2082212,SHA256=2EB06AA616058015378A5C71610CC5DCEA2BA541D5BC561E4EB31F4B45EBAE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806375Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:46.193{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0BD1019A5B68724668E1B923D63FBC,SHA256=1DE46BB39BEA116D4DC6D59C953D06C759446255D7D7FCA03CAEDED3D34CD9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:47.930{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A67F11890E328D21E50790C5E18560,SHA256=DCC101D42E9A142B07D5BF0B24541DB8999C21FD27AA942F072F35FE57930A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806377Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:46.217{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806376Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:47.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9879F70294C66A1C1D522145D89EDD9,SHA256=AD10DA8C090DC5BF660F6D607A2F1E1E5327D475132F0A1F7321ACC081D8EAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:48.949{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28885835749EBB735D8211DD0F940853,SHA256=AEBB82B5759555A3A54F0963CE4D43FD786A36A2CDCF6DEAA603779B7C0465DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806378Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:48.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843488F4D819C55E9010514DADC9D893,SHA256=2D0DEEFEC8291D3D0DCFC3626D9B3152669BB6C35FE0736E05772249E30138E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.637{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50931-false10.0.1.12-8000- 23542300x80000000000000001046552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:49.963{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E975B527C41E159515CD98001474CE94,SHA256=3DD5C1944DC9EA09C492C654A90E02D4BDCB3841CDB68AC3BB0E4FFE64415FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806381Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:49.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB2E255D74A76241598EAF3067116344,SHA256=03620E4F0E7B6ED300D5E9B7C13EC74A2EB5F354492B5531AF9C1B17406449A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806380Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:49.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DFE2A6D6CBE03F3ECB7FFD7408FD9D,SHA256=32F3437E6DA661EF3BB7B3BD5C58F2784084AE95673B585C807C5139C16FE953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806379Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:49.302{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98040088159668A179D3F03219820C03,SHA256=31B3B3146A2A1ACECEF231CCB2522A1603B0BC9BBF337F72B8AAB2FD081F4573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.978{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEB9CCF1F4ECE2158FDA3663C02B3DB,SHA256=12738B05FA934B819AAB5CF0AA27C2673BC6672B66D871D4EDA2E1AB3A48CC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806384Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:50.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3AB3C041E005FD9B38623AE67783D5,SHA256=C99C14F5FA4928946D6A9A47992942173CB8DD6043B663ABAFAF1E47687BFACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.863{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.864{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:41.900{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57176-false10.0.1.14win-dc-890.attackrange.local49676- 10341000x80000000000000001046560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.180{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806383Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:48.498{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57176-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000806382Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:48.224{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net44691-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001046583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE8B17DDBE9E91D7DFC2A57A572C25A,SHA256=BF9B4E6D7B81CA9FF3DF8C0676BAE1DB11E9E528EBBCFAA2D109202032BED696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806385Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:51.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795BA32E063DFA02BF03C4A176274AA8,SHA256=9594C9D355C120A066DD2685509CC412C7444EEAF1FDA543633A3689A00CB336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.663{466BC892-F32F-60EB-F97C-00000000CF01}47129552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.479{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.479{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.479{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.465{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.194{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A013AF3AE0DE6E1A33AB4F41737FD76,SHA256=7B03CF5E2930A06A49BB2381DA1C4A4632E01A49307BB8AD0DD1E02D6C1D1AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.194{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC9D93D5FD6D082CB55C8826AB0AF84,SHA256=45E8F5F835C940D9E65CF94B094786EB923D4A56AF34FE9B77B5AFC8922F6321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.132{466BC892-F32E-60EB-F87C-00000000CF01}90009592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7CAE02A70C67338930F82788DA4CF0,SHA256=9434D7230A72CA32D49E9AED8C35C7390BF4E2D0B3C92CF658674E3B729E439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806386Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:52.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1DD5A1FE797C9DFD5AD184330B0781,SHA256=DD4E20E4D85FCD88B0261AF90D720A94DCA01097B3D6E17A75643B376DDAF898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.896{466BC892-F330-60EB-FB7C-00000000CF01}90288812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.697{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.463{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A013AF3AE0DE6E1A33AB4F41737FD76,SHA256=7B03CF5E2930A06A49BB2381DA1C4A4632E01A49307BB8AD0DD1E02D6C1D1AF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.065{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806388Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:53.427{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B35052B96BFDB4DF82D8B0EB9E811AF,SHA256=8A89854DD0D52E5BE50D71266D8A721AF09999B091AB29A48A9AB20B3FE51267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.711{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=182BA307A104E82F6A0AE0E847E70D83,SHA256=C465CD60D91C85C6E691909EA7A23E9EB1A6A9D0C43B2A1B9E647582099A4B93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.629{466BC892-F331-60EB-FC7C-00000000CF01}79768408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.395{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.381{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:45.680{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50932-false10.0.1.12-8000- 354300x8000000000000000806387Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:51.388{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806389Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:54.457{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6D90BBA13B93DD44646E81534558DA,SHA256=7E33C6185A8C769D2F489CCB2D143904E3C6E9B47BA243A2E887ECAABEE95D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.064{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D75408A11D6C01ECD6AB53B9FAF3372,SHA256=ED3A8F79983EAB255FF9D534A09A71CEC59C3AF0ED5BA373C8114521C44B0474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806390Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:55.457{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA778800BEBD16FBE8852D15D94D1E,SHA256=8F61B7A8870599ABC46186BFD8791131174BB19166A664257A6F838E790C5A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:55.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A1000C0329D314D3C8B8C83CB2484B1,SHA256=496FDFC9C02DDD7A5B2F15A352AE8E4E323D82288917B75920724D2C33075EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:55.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0C3BD956ED2A9CA7FB58E70EB68195,SHA256=825F40F095171C783CDC39221215C280CB352B4F04B692657D54CDBBFC933B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806391Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:56.472{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F264AF1DE2C6FDBAF8515150C95DFD70,SHA256=E5D53B2035CE818DB16FA0C8B8F023BFCFFECF3A28F9A5BF9FAF3430BA52F262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:56.793{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:56.077{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B336FFDF9BEEA19BE5D60D263E213242,SHA256=58FAE8E6B46FF78C3E96AEF83D31FB38A58D0ED151732706355394A16CDE9391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806392Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:57.488{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DB1050FC6A9B151467482607ED8DFC,SHA256=C37B3318CB60CF98FF64E9A247D75D6367639E294740512EFFB61946E1655DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D08BF5BB5F7335E3200E83EF2ADE792F,SHA256=DED845FEBD2997A642FACCDBB9D36FDA5A381F6C3FF94039609DFA1B96045BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4E9B529A37BAC5BCB56818457EF14B54,SHA256=5FD4E2FABF3C59B2DA1E2669C765D73027F09417FB1228CED69A0FE80E3EE02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F945381C2FB157A3FA8CF2411BFC2C47,SHA256=898A8B21D644FE0BB9E3D491A6A1D03AF5B013029AC3402ADF0921494C4789A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE6C0F0092AC2C5E5F5DF585B1C1F233,SHA256=B4F36F2FFC56F5DBE21B222A5F60A8B58BB614527A7B1C38391DDC9A3606949A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=787D999BB7CE86B4636B02329960392F,SHA256=FE1E617447BE2C7E27FB553BD5AA6B9C2F9D310C2984E4956818A675EA485B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CD2214D562DEC8F9C005B26E97875F6A,SHA256=AEF2F440A274009C71EE22BE97FBB5456885D9D00F8B03CF1D268A7752204624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9ABAE90EFF1967C18ED7E310D711EE07,SHA256=E48FC511507FE93478838BF95D37A4ACDF3DDFEB22D829F9A92F434D14113BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1457D11788E5E9FC5E01A87BB2FFF1DB,SHA256=A9DE5F9DAA538088A8F89EE76B2F78B69DFA2BE570222918959F87EE538AA2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=978C31FB712D76624D8912657CF00D13,SHA256=B223A2A097333FE954E8362EDD3C2F94AE300A19E9739A0E2269B8BBA20D7D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C67C6BA37DA7E2D12753CB4A77723425,SHA256=D318E8DFC5D9166ABE6A9F2C526010B5AC472121A42653B6C1B91B126F0A73BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E6697A2651489C9534066B544B49FC04,SHA256=B6FDD947FC21829475F9F636CC6C590C213B9DD0FCD849B2EB96FDD7B4CF6F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.108{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6AE77E695E3DC66943038EFF273B4E,SHA256=B0328EE64E13A20E665D32CC0A0D19399EB63384F13DFCFF3996E96949EDEEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806394Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:58.489{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E72418D94B4090CE1AF15C4B61D11B9,SHA256=697CF75903E31098FC8C1D601201FD1C1EE194F1355744D3F520174D8A69C1A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.331{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50933-false10.0.1.12-8089- 23542300x80000000000000001046639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:58.108{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B672C6BE12C7825F034BE305D3761842,SHA256=90BEE45AC21800C3EF3F0559B0F5B75F82D04FC272F5C9EB1E5EAB8C1B099C79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806393Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:57.293{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806398Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.504{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B27341BC61502197582D95ECDBF6EF,SHA256=16E9DD6DBCABC09E1D242276BBA9176E6A31F728F6D20F637ABF6EA167C445BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806397Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:57.752{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-25924-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001046642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.630{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50934-false10.0.1.12-8000- 23542300x80000000000000001046641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:59.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80969C9AAC40FD81D3ACA6C4913FE959,SHA256=2D793D43FAC5F71D648B8EBFDA1C36B8D717D9722668F328811C8FA5FEF986A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806396Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D035EC751D7D14925E9694156767BD8,SHA256=4B9ECBEA49D6FB034781680021D45D842E66B785E287032A202F8BBABC71D40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806395Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB2E255D74A76241598EAF3067116344,SHA256=03620E4F0E7B6ED300D5E9B7C13EC74A2EB5F354492B5531AF9C1B17406449A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806399Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:00.520{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79AD9AD3BBFC1FFC59C27C804414CFA,SHA256=2B589042B982C35A8A0EBECF7D9F72BB284830FF154BF288B0FB7871877BF30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:00.144{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707E970A4375B2728B9894F84683B50D,SHA256=1DA8C011511956A2F3D4DD1CD51AA80A094165C8392735769C51641BAAE0E639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806405Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:01.614{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C174374A66EC1599A9D38D5F31227A,SHA256=8ADA828E16E323B846EF9CD35BAAA8C315449ACDBF8066F415CDCC0B46308CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:01.175{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18343043D509CDE01714D078654B4D08,SHA256=95B22A7B403C4C2094BE378CED6F9BBA712BE625C83CFB4AA5149A03D8CA5785,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806404Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.370{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57182-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000806403Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.290{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57181-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000806402Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.233{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57180-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000806401Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.232{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57179-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x8000000000000000806400Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:01.207{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D035EC751D7D14925E9694156767BD8,SHA256=4B9ECBEA49D6FB034781680021D45D842E66B785E287032A202F8BBABC71D40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806407Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:02.629{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46237DB26E0659A2EB47B6F73E03F9FC,SHA256=C7D35973F6E08702D7CF5DC92A445270EEBDB4DEFD90A7B1BFB611CB04886416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:02.176{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933DD0902C22A2944C2452D85A95C9F,SHA256=6C48C5AF5C90329234A3C8077EA6F27F8AAA2B9384DC4C7D743E7A17609E8E66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806406Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:00.131{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.242.110.130amahgoob33.ptr1.ru64815-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806408Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:03.645{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FF9FF3C44CE5C9CDD218879DAFE453,SHA256=AD357ADD71D26217AB45B79BD51CC93C28D5F12D7257C26013EAD8293169D3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:03.206{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7DD747D1B4238617651051CE7DA1DF,SHA256=69BBB0B0835CB13F1A52E3278A0987A64C68CE4C11C75D72AD7A5DCA1CB3A051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806420Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:04.660{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6521D5EB027F1B80EC620E80E9846C,SHA256=5157D72C9F8F4C14B36103FDB8AF87A114DE981475DC3AFE28683A5222BFAF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:04.223{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99173AFD2F48E3260D9BDD391279B26E,SHA256=2A80DA00BBEF0F16B094000FA4D09F295995F5DA1E1022E86A0AA4A4A3E74B86,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000806419Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000806418Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f5c6106) 13241300x8000000000000000806417Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x958557d5) 13241300x8000000000000000806416Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xf749bfd5) 13241300x8000000000000000806415Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x590e27d5) 13241300x8000000000000000806414Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000806413Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f5c6106) 13241300x8000000000000000806412Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x958557d5) 13241300x8000000000000000806411Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xf749bfd5) 13241300x8000000000000000806410Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x590e27d5) 354300x8000000000000000806409Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:03.200{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806421Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:05.692{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E329E7B9BFA125E316E2299768E6FC48,SHA256=C998DF935F37C3721F18E77BF83C09AF142678B89C1B178BFC006B548FC19B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:56.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50935-false10.0.1.12-8000- 23542300x80000000000000001046648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:05.241{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B06B467F90CE1D48360D9581C3589C,SHA256=3DA8E55A149A45F89EC4EB2E7C3ADC40AB7CF0FC5B57434251D98AE9DA5E7584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806422Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:06.723{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCA275FB53E62A9A67A2F65E0EA5AD7,SHA256=B8CFD00946239AB3433CA7537F4D898C6F5F40B3595E54C1699A2CFA05D6F279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.272{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4821AD28D4218F6C109665A31B0B1DF6,SHA256=936902E2CCEB906ABE4457DAF6744DDFE060E644CB79F53749476EBD3AA4560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.157{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.125{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001046652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.103{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001046651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:46:06.103{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.371.100454002C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001046650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:46:06.103{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.371.100454002C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806423Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:07.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3AF0524EA92B94230144259EC3343F,SHA256=11F87E1F85CD23D2C2036DC60591A39E53E3031B21F439B30B401C66D8E0F46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:07.273{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD8261823C1779A961E4C14DE70F232,SHA256=747C53A6463110E4394BF6D26D8765A870CFDB135CC0D858BF35D65242BC56F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806427Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08230CA84345E31ABC886DF97DACF4A7,SHA256=DEF277E50971AB79584E2D950D8D6D60A9E4FDA33B0A5A1F914CB69DD061FB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:08.288{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC99CE4F6647E61D812C6C328AE4D3D,SHA256=C035CFDAC837C6AC4C5A108030E20258A14E003D3DB817746962E7BEB49149FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806426Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:07.376{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-53237-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806425Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.520{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D56480BC466A5AB86C9DC6C25702D12E,SHA256=7631F43EAFFA9992E0E2EA03B512F697E513A8880965330D84A7C524CCE4EED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806424Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.520{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8E4DA43336E193DFBCFCA86BA7D0CC,SHA256=B990C5A8E843BB0C5490B78C40B89508A164F467288C7B7F4ED543E229475183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806430Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:09.832{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B95488D8A00D6DE7B818EDD92146DE4,SHA256=84C83E2CC39F4005F979AF7A51E981D39C245607FBEFC8D6AA1F3A1C170DB1CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:01.057{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57184-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001046658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:09.289{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC69BF77DE725DFCEB88B4B34C366710,SHA256=FFD53255151BDB7309D518950ADE266D52C8B50EBC4D1DDDE347C65CC3C6BCCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806429Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.309{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000806428Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:07.656{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57184-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806431Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:10.832{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985A5FE341A16239FA2546ECFF39DCFF,SHA256=B411A95AC654D068036B0C6BA3C3BECF8DA775FD9ED94DC14675D471D03BFA9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:02.695{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50936-false10.0.1.12-8000- 23542300x80000000000000001046660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:10.304{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF6A7C8F6BF9202DCA36D742A705350,SHA256=D0DBD7D93D2674582BE781E392CBB76511E1DF49B3D14FA57CD04306F45B103E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806432Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:11.864{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6293B328110553363086D6405B5F8819,SHA256=BEB7E1E31FA5CFB1E69B5B93D27A06B7C24364F1F5829394B1549CCCBE46878E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:11.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C05754C3E7122AAFCFBDE4999FF41,SHA256=BE1FF4F4ED132492E9B6541157478B55978D357AD8F152F7528AC2EF0AAA5BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806433Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:12.895{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A750B83597AD35AD69A1AD6D9EB3EEA,SHA256=D51227233A66622846A85364365481CC3981357F99C807127F5410FC87A856CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:12.339{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33FEE15B7E2EC9E01201671D0D88CF8,SHA256=106299AC093A61FBA79F6E8D0B5CEB1A27E42A70163AA5C2C96FCBE463921D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806434Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:13.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DE4857B5BC9604301A1E2DA5C45B8F,SHA256=DC71B8B18B52F82EC9A10D1CDAF4AD9B4C0F8FB160699006BFC08B29B9FCEA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:13.370{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27C38673A419C4284683668CBE05227,SHA256=5907EA52EB3E55EB5A0D550A080771EA2ACBD107064532EDDD158FC304634658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806435Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:14.938{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A63F55BEE6F9FAAA54DC84A9443A41,SHA256=64E5F53CF75FFAED246A8F0F74F2D96E2877819C296EFDF919D11E68B4016190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:14.385{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C900A4A76D875CC9450561AF0132894,SHA256=268579EA414D8BA1B033EAC0BF35A66551A4F3206FCB8D7219241A1CC939BAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806437Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:15.985{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C1CC2230B504B5D35DF8642E2CE3D9,SHA256=AA3C33F49250609581B6E3E77A816E0201B6EABB8ABB4D6E15D331C10A6E19AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:15.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C773094C4B9204C047D92B8803ADAEE7,SHA256=EE22A9E6B5245E8F782225635084B0365AE8A89612F22A2BFEB22331B25FE017,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806436Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:14.337{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:15.369{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9157EF08F5618D8BE42A815D647BD25C,SHA256=FDD4506C3350659944955BAAAFB5AC985C888AA1923F55C94884D951C99ED656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:15.369{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E2065938BBE440FEFEB60BA4722A1D,SHA256=7C03BE3E918D57FD1CC498BBCF0FC89DAFE73F50D6222BE75B31630645F77556,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:08.622{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50938-false10.0.1.12-8000- 354300x80000000000000001046671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:07.908{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50937-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001046670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:07.908{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50937-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001046669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:16.421{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3ED35F45E867208498E8E8B2BEFF68,SHA256=AE3117CBB1ED263BFD7275285F639A242EC1B38C698B6A7FF5953DADE4128D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B70B008472171444522812C3BB0EAA63,SHA256=EFA97A8F9296F6CF8F87F0F85B4C51BA385C6AB23A21372603048508D03A172A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=911CEBD0475B5933CE3EE252D08CD97B,SHA256=CB96D0133BBF380616C08EEF9960B5E1B38FCEB271F3FBEB5520C89747EFDDB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ECED7715627E6A345E50E90A405C2F04,SHA256=10664B2055EB3197CE0AD2D7962F243A0B5C360A628525AA0B935CC47A760EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3AD982EC0C8CF9B1A738F126CA289671,SHA256=E29DCA0D5D162C63B980713AF4F0A9D9D83AE6896A2079C7CC907CCD6598D7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ABB5A2FB36BCD46416194B8A17C03A61,SHA256=DEAD0D2ABB37CF9ED3C1EC8A8611182DAFF731788907FD279EB21D8B16AD9A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=72887CE320B03B51ABE217229918DCE6,SHA256=BB8FB3C874DEE07D02AB0F7F87D2DCBCDC35695C4BF3524CCCB105DC9D64D714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C450B31BEB0205EF7893256062B8026B,SHA256=941C0B567853E5BD54BD738773E2B01E3518036C25D9F62D12A0B057E1907E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A70428FE3887C72B874A35E157F9B7A1,SHA256=AD612D51619E0A7DE63FBEF4BCBC16E8B24EC9F1716EC7B7A3C3B720F2F62B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F2FB32B56002262DAAF5907594E5DED6,SHA256=E481E79580C3DF12C9FB130E4EA0854C6185695B3E62AAE5310F3FE7E1E441A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=624B4DC8C0201256DB14AC31C2396FFC,SHA256=837FADEBC6F7EA0EA27EEA3A0CB4401763E5442472C2A25DE60751F19DF73C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EEEE7D9F616589E5520D33F6F1AD3505,SHA256=1FBC528D79503A697933A055BC2A6974301A695D2776BAA5FC4F5C68FDC1743A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.435{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6E2055C4EDDE02FD1886EC1CB63431,SHA256=AB9D085A5D632758662A51A0591FE004DB9514FAB2B853A78FC7CD2D7A301677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806438Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:17.032{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFCDB62B4C834189CCE0CF29202A4C6,SHA256=E6290C8D94C7ADD6A9BD62561CBBD95B546227C713CA6FCEAC9CF39FE0DDFF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:18.450{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11C537FF859D24FFE246F99C85F7D24,SHA256=56AB9062427CE84E322F04B52CF5B16D72373514AC6916BB80BC1F3E42BCEAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806439Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:18.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBB0B2722BEE36F9489616C315E450,SHA256=9C1F21DFE41CE4DC9A3C6DCB117653C7EA93A47FD84E786C582F440BB0C9E8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:18.198{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:19.465{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C098B9E35AF4F279E94799DE0F14A0,SHA256=C6681F09F043C9C2BFB05FD78E1C89B2D42755980E3E0C171E469C1ED21E97D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806440Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:19.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F6863720EC6CF0E96694008E77AAC7,SHA256=AF3F258A25C993EA3CE0B149232E8EE96E3DF501B46B6A24621230140168B81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:20.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E98173A3F61E267E2F9912F1838893,SHA256=03C26FAC7086242074DECCD73B04F3646282A20E4B7D24698447213D3AAC8439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806442Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.360{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806441Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F190E31F121AD861D933B0AA3C7933C6,SHA256=748F62CDE55F74027923465C66838D6EF12C52E4BF7FCAE2F12E084FF9C96684,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:13.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50939-false10.0.1.12-8000- 23542300x80000000000000001046689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:21.515{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8424B0E97B4865142B343F46E095251,SHA256=9B75C1E65D85EA7EC0B649E81C987D048153AEAA1105442D94B0953262F69A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806443Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:21.110{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C95E04FD20144ACB48E5FB1B2E98C,SHA256=CCE028F3E51BAE5F62CA32D2050657C9DD7FAC56D407830987F38A37B1CDB871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:22.531{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6ECCA643F2018B9CEBC5039D54EB04,SHA256=41B3DD55FFFFEBC62BCF6A99C7C0E41F21F191B37218977B272154D9A24D3C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806446Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:22.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5F2104E0F3099C0B3D12BD07406FAD,SHA256=6017AFA7FF267D2B271495B98A0D49A9E960F7AF9C5723F1BDABB0932A663758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806445Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.493{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000806444Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.259{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:23.546{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB6BEC7A712BACCA945E97037A05CCC,SHA256=5608B113073C45A150EBE87C3E94ACC248DE7D30F7256BE05A3426CEBE20F304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806447Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:23.173{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C49D6CB31732CFCF4DAD1EC1BB2090,SHA256=6BD7AFF281C5F5BF0DCC3C10BAD6EFBF820A65264AFA5E1C298859D4CCF15A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:24.561{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA37CC67380B306A205F8AA698F5F3E,SHA256=F55655DAB24CFCB889D5334D0B32EEE9C82C4BB19717B109C3510E70B9F11545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806475Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806474Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806473Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806472Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806471Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806470Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806469Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806468Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806467Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806466Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806465Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806464Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806463Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.908{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000806462Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.438{0C1E0330-F350-60EB-4979-00000000D001}9603868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806461Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806460Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806459Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806458Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806457Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806456Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806455Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806454Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806453Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806452Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806451Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.220{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806450Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.220{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806449Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.220{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806448Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.188{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3560A814645FCD367141B4DFAEB1A38,SHA256=FF0F961C71A53C797D4814BD4521F2C16F88BA54F0365785A99401DB13FC7685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:25.576{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FF22A25AFBE585E547996BE25D26CE,SHA256=BDFB989C2434C586617F33114C6D171D65A98E329F78321403F983AA450E5953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806491Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806490Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806489Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806488Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806487Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806486Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806485Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806484Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806483Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806482Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806481Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806480Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806479Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.550{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806478Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45965F2B70FFA4690D52C82E9EE36A9A,SHA256=3EB2956ABEBD5F4023476B08AC340A997AF1ADBA99B067AF58C0E2CEDB203253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806477Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D56480BC466A5AB86C9DC6C25702D12E,SHA256=7631F43EAFFA9992E0E2EA03B512F697E513A8880965330D84A7C524CCE4EED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806476Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B23052D07BD459051FD89300488674,SHA256=979A7B4BBE20137AEC0F80BBC66E390497C20F1A9C34AAD96425FD800A96E21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:26.607{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4549F4E5440BD13DAB159A16101690FC,SHA256=27B7A57352D5D35228442EB91D1395479989E4C6FBEBEE47B5B1B96D1C657310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806519Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806518Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806517Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806516Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806515Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806514Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806513Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806512Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806511Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806510Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806509Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806508Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806507Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.923{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806506Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF92714F3C1BE31C8776DFA5A9FBA04,SHA256=1313BF215295A69FC2F5BBCAD8B6BB7B01BDFDD3D08F3D52304C743ADDB11EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806505Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45965F2B70FFA4690D52C82E9EE36A9A,SHA256=3EB2956ABEBD5F4023476B08AC340A997AF1ADBA99B067AF58C0E2CEDB203253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806504Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806503Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806502Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806501Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806500Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806499Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806498Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806497Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806496Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806495Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806494Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806493Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806492Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.236{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806536Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CA9C706CF0619331108A90C08E9082,SHA256=1DAE2E924B7DE05A9918473046C7A43762ED04C1157C672F4CB5E0A14FF97E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806535Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.782{0C1E0330-F353-60EB-4E79-00000000D001}15323664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:19.712{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50940-false10.0.1.12-8000- 23542300x80000000000000001046696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:27.641{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4791B6DB589BB11B9EDF48D7D77952A,SHA256=048FE4B697F6C918B019BD4CBF725B4CB5BD4AA06075A0150A0499BF83B8F281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806534Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806533Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806532Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806531Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806530Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806529Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806528Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806527Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806526Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806525Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806524Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806523Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806522Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.611{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806521Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.290{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000806520Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.079{0C1E0330-F352-60EB-4D79-00000000D001}38882420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806552Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.813{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E47B291A5F6B442DCF95B000BB0ED9,SHA256=01E9230B170A219D3A3EC1F2BE7489E74EAFB80CA61B692B77294BA18B46F5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:28.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D11B1F7A9835F1078CE6F2229BC346,SHA256=D2FD78C607BED348B71085019D39787476634DA891486F28F59C72BF314AA20B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806551Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.423{0C1E0330-F354-60EB-4F79-00000000D001}15202912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806550Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806549Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806548Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806547Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806546Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806545Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806544Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806543Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806542Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806541Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806540Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806539Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806538Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.267{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806537Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6465314F05003E2DBE9B9D95C10AD84E,SHA256=A009A180B4489E553A9B4A391FA2A115A3BB4B322CBA6776ED5327227D940C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806554Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:29.845{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D494722E8726B7405D5D4053539DDB7,SHA256=96A20DD0B56903AFA6BD08C43BB8454466BDC5C61073B21C52A43B8FFE842EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:29.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E48EF48A0536A1555F2275D02A082E,SHA256=AF131505DDC23A481D3F9398B4CB4478E5B7704D5D25B25184649F5891BD4EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806553Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:29.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14B97E1DEBB2F389C9866422928D3DC,SHA256=23288CE851C87801EA1739F1C2FD30BBB6322ED4B7F1461AAA29BE972723B74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806556Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:30.860{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ADAB24D3EC4038A25DDF6F50539DB9,SHA256=9CD3817201CA555AB6CCAA53F8B392C72173E531448F9EA96CC5C040DDBCC21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:30.687{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48B61D9724FEC5DE707A498453951F2,SHA256=2E9108651E8D8C5159CB58AA84A64187449A365FFA708F60599BFBE357C492C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806555Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:30.063{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EBB4195CA1A3A3D6A53E4A12138C757D,SHA256=10A16A33CE3687198F34E3F9EF058DA81E7D90EE3B4A939A928FC4C751C9E06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806557Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:31.891{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E556968F159BEC8C8CC21354EF29539,SHA256=F3001B262E6198F87F86FF6490EAF4324316AA35B9FA8962D2AE4F66152EDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:31.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ECCFCF7E79C9BD9FA002B6395E4557,SHA256=7CC9F5DF709A871B21C365D2958AD6A4A9BAD0143D7FE2AD52B749CFF48DA9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806559Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:32.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FE51639AD0A0C2FEFB0B59E290D903,SHA256=336F97E0A5BCD0A1A44BE5E58C746B23794AE0F513E168AE5B0F12554F0BBE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:32.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EB1F6A4910C1ACE722BBD8B123BA05,SHA256=181E915E15185EB63BA263F1BC0D6E5FC1E7BEE96F15C56933403AA4F71DBCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806558Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:31.196{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806560Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:33.908{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA0CEB49C0985E6CF117AB683DB0AF1,SHA256=26D10F8AFDE011BA3C1CD05FBA4A257C20DA3F2A8A2400BBCB449BE6F7EF2432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:33.738{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F7EDFA49A35351F8FB4D04D55687CB,SHA256=F98E63D7B7837115747A6E2FE42675FA31C296D44297A82FEC85181A03B07273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806561Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:34.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583FA28E855FA9CC741708EF30038915,SHA256=DB40701B4AE9F2AAA042AA06E4DFB8EE894D17C5325F01100B77CA4D50C5826F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:34.754{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8591C1245CB700F11AB366EBE7E1A1D5,SHA256=AB73940B03C8332B598FB84D948C3121089704DEAFD93D21FCBE8EAA10C17D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:25.607{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50941-false10.0.1.12-8000- 23542300x8000000000000000806562Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:35.970{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175142F17EFA94DC0EC914C497CEC782,SHA256=2A33081BEAC8411976E09F895D5F4651D83443E172FA136DDDDE657A0311DE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:35.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579203ADED623871968C6D0C7BF82588,SHA256=BAE4A301084573E6C22F54F3529D522CA9637A144CC547A66C2B51FA64CDBEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:36.766{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D9551E9281D89E67F54467E99DA055,SHA256=7579F1BD7469E7279B405E558EE0349812B274A651B6E5DE24A07A00A525CFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:37.783{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1403FED87C7317B13A14CC162880E5A,SHA256=A0F21E87D48389DA185CD7C34B3D52EA2B5035DB874502E1B1927C53743CEBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806563Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:37.002{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48387DC30F6C2B18D8B5F6CA194F6A80,SHA256=23268A12013611CC3D64A0D9B4E34B372DD10A9CC37FC63372B3772D33FD1640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:38.801{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CBB383205CFCEB67B5CC53FC9E2E1A,SHA256=F60A6CF5F5BF708F3598651EEFDFA0CD9E641FC15A8D1BB5806AF623A9E76CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806565Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:37.197{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806564Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:38.033{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486B13F5EBF1C78FB02C157E04AA08B7,SHA256=D1E3FC144D608D7FB2587948E653B8C6EBFE486FC9A3A3E54AD1D4D0E2C31049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:38.467{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6762C01EC88FDA027FDE0F2BB134F93A,SHA256=6F1AF35BA248CBEC320A27BB9B3C930BD379ADED454B4D5AF8ECB50D04E0CB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:39.819{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179DF52F9E21880A083251D092C1DC1B,SHA256=4FD04F4531B755CD44CA6F12E97CB9FD4FBAFF4F978D5DC39D6C3A1397DE6A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806566Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:39.048{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15295900882C9FDA0B481EAD935BE25E,SHA256=0C84A6941B26C086C160E2058662BA9D0D35E9C98D07E5A94218646F49232347,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:30.735{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50942-false10.0.1.12-8000- 23542300x80000000000000001046713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:40.835{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD0FD8CF073C4CA3CEB147F5BAFA128,SHA256=C6FCA232657D25BF8EC2F0125CBCE7BCA2BF8B3DD9BFD53029E1628AFA955DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806567Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:40.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2C03B5B17EBED396603BD2ED76D114,SHA256=1325AF5EEF1B2723B4FB82D2F851B61D97112456102564864FD88B2410874874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:41.849{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E83B85ABEAA7D9332E7719E5EA52E9D,SHA256=23CCF2714EAEA146E0CA35D997F209A4790F1509890A0704EC65C1C61A01BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806568Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:41.127{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB1E956AB952BA951ABDD9601BDC68A,SHA256=185654CEED088D4A1D6805C4BE954AF6FDB1B3FC75F64F1CE2C7246055C2F79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:42.864{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AFCA112E783126F2E30DF5B816C764,SHA256=DF37F47FB3493CC97806FC4786E96827224E68312DE350435E13E5C78FB7CD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806569Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:42.170{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB33D5F0A3D7C7CB7E1DCBDA194AB962,SHA256=F86D63156B19C16CEA5FCB377DBEDAE21BF4CF52CA0544B752619E58650C87B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:43.865{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE388E0CD30B5D8E255F54718C102A0,SHA256=8BF4358575D8CC5C6B78E2820ED9AA0805C1D4BAC437B725B416578F7A1779F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806571Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:42.397{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806570Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:43.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A837AFA9BCE79D63F4218D563EB3D3,SHA256=4BBF1AE1387BBED58E80003B9F67A666BA7495D63D498980AD0C37C7376FA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:44.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4272C45CBC2BD65D328A6F6784C6DD7D,SHA256=371F50472C7D9B9E858C2B155FFD6D64FC7FCE92C5A9A1628D9538948DDAA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:44.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9157EF08F5618D8BE42A815D647BD25C,SHA256=FDD4506C3350659944955BAAAFB5AC985C888AA1923F55C94884D951C99ED656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:44.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99447ADC2CC6F63E41C646BCEA0EADA2,SHA256=E7400B31D2C5C76AB2C20CA5ECC10C851A91F320EFBCA803555B41F1016E391C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806572Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:44.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D109231B84A8F1FC507B35B275CF5248,SHA256=61D6766ECFD3F8374EBFC7D8CA860C307B04390A906B55B6E769FA83556C264E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:35.786{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50943-false10.0.1.12-8000- 23542300x80000000000000001046733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.916{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FD72A7703E5F7A1A3B60A7752CD393,SHA256=3C192C5DF6A3F6A45CEC055E78A63C74C16D813B7070AC17930C2142C1CC3FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806573Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:45.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C285CDAF8DE9ACA27C3AD4E4883FCA7,SHA256=2C54D09EEC9E325860BBE39B1C9EACED880ACB042286DB7A6907A537EDCBF9BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:37.096{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-50062-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.048{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AEE892DFEF9DEE839318FF15CC4577B4,SHA256=8EE4797C5CA70284B8C9AA89ED7F332FC630FD393657DD7BB19FCD815BCB6FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.048{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F22DFEE6F0ABD0CFB3C3600DE1E9779D,SHA256=DF2A7BD8F177A3E693ED3A347F538906568C71BA87CFA71E9CDA8EDDBED18E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.048{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C5B1FEFBC274B5DBDB6DF52406C9F523,SHA256=C08BE258D1A71EA401793C4087C377B0421425308417785E300E741AF7B173DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=655448F0629020965BD726845F3CBF27,SHA256=66967BCDD77CB9F12B22E8192371A20147B82114E07E558BF3C6C4B3A554EC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0E615B92F67F25D5C6BA0BC0B0127149,SHA256=933180266DA365E71BF2ED8B714D4D3B815FFE7899D6DE556D568A0794913A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AF76039D34F57B04C12E05A91DA8C8D2,SHA256=27CF0E2AC838F178F6C18346BBDBD4B68728A808F02846A872F7AB09A930282B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=08F4DADC170013E929830916033C8D95,SHA256=6900E202527C9B3C9D6DE42219021FB241491A42C149DCECA86D23FB390EEFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B5D38A45F37FF8B9A01BF64B0D5FB120,SHA256=CB929E4F7A44A8AEE875D0AA60ED8A6B20CE9B2ED9117879A74DCB01FDBD7DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=192D4BCB9224891C9C2EC4E0775C8525,SHA256=97FA256B8D40C8D7E248D4E2E6F9A3BA1E39AC913B5FB20789FD225EF406012F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CB6BCC0341238F249AA41C095D405097,SHA256=1D41BDA416DB780814591B2F0A4A1B13A4C58E9BE8C2F1BBC168E8A1F77C9449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3B3A806C40B0E8B69BBB91CE6BEA5D9E,SHA256=9E0B5C4423469A1B92606B5FD1C3F7DA19E92691841237CC3A731DB3B8FC697F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:46.916{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E8E11C1E43CEA347DDA5BBD3898CD3,SHA256=544B5F3E28EBD526C32A9DDC7121D4C607C97B35E48249C51A5DE1AE54A99E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806574Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:46.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CDDB46391E5BC3D4B40F8487E5634A,SHA256=12F71137843F02593F0E1D1D79125A1DD92D3C8C9175F4FB0FEB738BABEF80D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:47.931{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843158182DCDCE96EA905A65CEC21F4F,SHA256=A1DA03C43838ADA0F62B3488FB408C4935CCC6F417CC44F6E67B564EA4F5802D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806575Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:47.297{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B4864073F8880021E1E0C2E48371F,SHA256=0513BB660CBCCA8C960FD5C1479B0D5188CF51FBBF1BCF993D71F68C3E9D118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:48.962{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C4775582B5D4FC4BCDC6325A7C036E,SHA256=7309D5A9274BCC628C4278D9FEDCBE61AA4DA8BDF322C9C0E38D320293B59662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806576Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:48.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D476205BF21604285EFCB94457922D,SHA256=2D5683285C9A3C7FB1F3A340E57DC87EF67C194D8C7A3F59EAC57AFF68B9EE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:49.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550D4F4A3D38C99F41D1BF04EF005FE,SHA256=F789B96E6D841DF6F93783ABB660AA38D7D992858066FC386624623634796D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806577Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:49.344{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F535844F2BF8922149808CC749A888F9,SHA256=48AF53D4A4309A0ABF1FEC947A06330AC89BACAB58FC1F8AB184D6F10F2C0002,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:41.569{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50944-false10.0.1.12-8000- 23542300x80000000000000001046758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC07BC5A824158CDEC92C0969A001F0,SHA256=1A3BF0849F747147D77E2C47913966A1288B1FA769953A38D07A398C4F60738F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5FF9CA51531DCDAB896B4EBC01FE12,SHA256=D6B923BF662BF19A5243172BE48C25B4942ACF617245B6ECD3CF70F574EDFA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4272C45CBC2BD65D328A6F6784C6DD7D,SHA256=371F50472C7D9B9E858C2B155FFD6D64FC7FCE92C5A9A1628D9538948DDAA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806579Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:50.360{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD29CEE3D25A66B7B91AD3FBF0CF0B60,SHA256=A2C78AE5A2D3C27F19D7DDABE828F1837FEBEA5AE03D96404E9C9426A4BD0E6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.896{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.879{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.401{466BC892-F36A-60EB-FE7C-00000000CF01}95249620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.180{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806578Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:48.227{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806580Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:51.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67638ABEBA973B4BB7051542F8D2896,SHA256=F5BD033356C50EA9C276A6CA541E57E7882157BD7E094811476C85DD38EF8B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.763{466BC892-F36B-60EB-007D-00000000CF01}77368652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.547{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.547{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.548{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:43.204{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-17553-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 13241300x8000000000000000806582Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:52.485{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f2-0x14439196) 23542300x8000000000000000806581Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:52.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6365596455D363E7FB67F956DF672FB,SHA256=29965BBE984E79AEBA39FAF0B69DDF972FAA6C4F93A69B6B2CE758B275F27CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.931{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.916{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.562{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5FF9CA51531DCDAB896B4EBC01FE12,SHA256=D6B923BF662BF19A5243172BE48C25B4942ACF617245B6ECD3CF70F574EDFA76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.247{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.232{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.019{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A4134EB33C8FB90A85DB142260A12C,SHA256=0D51560CDFE78C5EEEC597B3D68BB5C163E507BEC0967DBFFFF9371EC198B50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806583Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:53.407{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F66DAE9763B61EF737494403D0858,SHA256=9E23AED9554ADF8B229472A1C420CA90FBEF048FED2DFB70E8EBC22C6569F435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.916{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C549520E1FE63DDAF46BEA6CF67100,SHA256=7FFC70E93FD80D88421438ED85DAA66902DF679A3462B32408CD99FB3BC5A6F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.799{466BC892-F36D-60EB-037D-00000000CF01}1049996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.594{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DBF7D84695EC2AD038CC192CDE804B14,SHA256=8C592A661A23E14AA1FC8175FB9D706319D61EAB3D01865A3B6743974F3D363B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=505F1747F4F51F2525619F766AEE12AE,SHA256=F3496DB0B27B186110F1EC85F99C76F77CF50C99CC1D39BA74C253C509DA1E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=29BD216D498F41656977A6703D0C1875,SHA256=B4056BF33C0B5BBCC45A942AAA61DC8F428DCD62E6D1009FB8CB94AF79F2685C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=258CA4FA98930E55679EE855F449D8CF,SHA256=2141406EFE53BF3B035705960C08124FBE235CF8D8C0B52EC4122E4FBF009E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=554FB01AE03220BE11DEDDACB4AD80D6,SHA256=C437483059B5CE8D54FB729C7E0CF010315372BCDF56FF8C5D20D2AE1670929E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4AAD769E16DCEC499CCD013EC58C3092,SHA256=7EF455E87B220EEDCA31F306549E54259EF6E6FCA7F053EEE54F06884E289847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9BBA6746BE60652408F1B4F21CCCB7A9,SHA256=062EAE80BDD5F96C851B9E7B72A7D582E7CD0A6FC4287DFDDFCEACCBA0BBC624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=10EBED91417B31888BF10C740C6673A3,SHA256=19F97108432F5ECB1DFBBB20E7179042AF5E3EE4DE0E1E7F7EC63AE5B006B2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE7D2737073FE52149B5F85FF81AB6C4,SHA256=8783AC33C99D99FF6C025C0425D2980E7F77EC0271E681393F09A8C844FD889C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=51A91CC51EEDE4421F5C6A5DCA937C1B,SHA256=E8B2641C2D32F11905A59DD779F65112E6791117D46CC0720F8A8614D6137BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C2B8711949AB25B1E702DB9CE573CCAB,SHA256=DDE98E2C37897771403A7E81D09B36213D28E5EF4AA5737E8F702E284C5DF1F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.099{466BC892-F36C-60EB-027D-00000000CF01}386410176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.046{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6EB7765836A2C132DD6962A3B8CEE0,SHA256=A41F375A620105E9D3412C2BE7DD1B39286C3ECB2DD41E253A8E977388D46E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806584Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:54.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDEDF10EB49133D95327880D42094D9,SHA256=7E44B2100403BB6EC7305324E365C6E7C7D9961E4C1EB1A566BAEB62A2675393,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:46.746{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50945-false10.0.1.12-8000- 10341000x80000000000000001046818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.279{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.264{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.063{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF137B5579B4499F713B1992131E8DB4,SHA256=A0A44D3CD69352C058AE0B345F1354BEFA8633D5D1C9878F91674F3C0EB427A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806586Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:55.476{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5765694CE7F4FB67D31BCEF68141FAD8,SHA256=355E7139ECB330B704A65AB1EA9FA281FAA9A8D55E11FD4E9A27BB39F5675699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:55.477{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001046821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:55.277{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E4EC8D511263FF309F93133E5C5F6F5,SHA256=8A71CD7060485E73B932B6A353D9C66F511B9EF309BC60E9A9F3334C836A2F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:55.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD444D25E2B3337020EC381426B1BF31,SHA256=D944ACD750B2478771ECACB5B0AB03D7EA5B423B821498EA456FB0A8B825B013,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806585Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:53.383{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806587Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:56.491{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B19CD291A61788855739C4F19B502F,SHA256=412F9B8BA192B2BDEF0FB5F856795787D6E9239493067A8CBD1DFE09534FD7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.813{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:49.031{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50946-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001046825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:49.031{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50946-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x80000000000000001046824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21B1BC3003397E4DEC2C3E102290B215,SHA256=8453FAAD31E1DBC1583356240EA63C671EEF9528675ADBE50B64E1EFB8A8C3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.130{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08140E561B6D7F3196EF92AAF5736EDC,SHA256=4BF72C9695842D27609C769D806F582C3449A3984E902D5812813052B58A423E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806588Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:57.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396345C5371DE500958864C741976EAA,SHA256=708A0015944A0495CF30AB2EF1A2BCC43BDE56C49C8F6C4E9C35E63EE19184F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:57.144{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA732B9A1BA8B8852B39BED568D7285,SHA256=7D79161EB2F5955E35F06748510710AB162E50B345D38CC9928F4484B88724CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806589Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:58.538{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6766566793F8D6609DB589DFF5B583,SHA256=26100CB5A5BDA6F358D3801444A772773833CD72F86057EBA1490075A30FFD7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.347{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50947-false10.0.1.12-8089- 23542300x80000000000000001046830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:58.160{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26D65AF0CF318C27D3D10761E39468,SHA256=563C79283921760DEC92BFB116D82DB6B605502CAAB8E3BC6D530E83A05C5EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:58.076{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf64733f.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806590Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:59.601{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAED2CB62FC8EC810C8D3003C0BC88D,SHA256=13EA716D6620E843728283062F9A7BB8766CA8578C1EA9C52156A8DFBB9CDC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:59.543{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:59.175{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70359B6DD03CBB5FA774F2D1E15F213B,SHA256=1619EAA9087006614CF2CD46128EB2ECD420F487263C38ABA283C19C4745DE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806591Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:00.601{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E65B409B051CB22BCD618CA38C3CA61,SHA256=AD89AA12821947020D33CC7EB4F39A38B41BCA83F4001C9088A04AD68E8CD347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.810{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.810{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-6E0B-00000000CF01}6608C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.810{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.728{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50948-false10.0.1.12-8000- 10341000x80000000000000001046839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001046836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001046835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf647d23.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.195{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399314D991F05FB1B827A27F74A0BE4F,SHA256=BD71B561C0DA08668DD008C6A5ACBD93D6ACB5EEF98250FB73A99FC6072D13C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:01.211{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3C3439290184966746149279626855,SHA256=94CC9765F559EC3599EC1600A6119F342CC56765A6771259E0199F6EA5F24DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806593Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:01.616{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B866BC360A4ED0A1D8D038B494C07FA,SHA256=D5BF916643D7ACE66EC508201C0090799B09099548C4C93B23DCE94B591E460B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806592Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:59.264{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806594Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:02.632{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5275CBDCB611B8BBE4356C0B35E1B055,SHA256=07EA26C972E2721C0E13F9434E67A2287B1E14636E9B428512D37A947B43C1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:02.241{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DEBFE8626C60A06EBDB25B4F350AEC,SHA256=6E62DEA3E04B1ADCAB14D22F47320AC9F2EDE93025BF0D9677F856128956DEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806595Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:03.647{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE2143FC83BE1BEAEC85759A2FB5CCB,SHA256=5AD29995B45FFEF525902404925DEEF3AF493A9000A9D87C8E82C5AC84FA63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.388{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A7E11DD2BF8857D10640D35EDE05F080,SHA256=A41BA48859F4C797F5925318F7B655AB0BEEE47BB432F7CD9E3960DBB7440F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1BBCA2FB9FE5CC731E722985237F7981,SHA256=3ABCD4F8D8033D065DD7330F43D51A40ABF5D653970A2D47A1E6FA9B0264475F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0BB6F4B23D2FF601684632A87408A9B7,SHA256=96D78E4B5F87E1F7908F32E1673FEAEE9E9AFA8FA54A09F55454730C8EEB5CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C283BFE7BF8DD93472D2A2221EC7E9E1,SHA256=85F87BA59304BB304A730AA7127495A516337A55DBAA4C3AD6AF60E6B3B674DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=129BD090D60E4D60307A70D940205DA4,SHA256=D31FD3F3E5D0B93FE2EF97B3F5FF91126D993D2E48E3C8C7EB74364073411AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BB47C7B8624CC7FF0B9EF6676666F74F,SHA256=2885401BBEC53D8ABDD5AB7D6C271E63518C0216A77C4D7645FE6A474453CDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6F7EEB420E7A3274E4BAD443920FF1C5,SHA256=5D3FA61AB26A95FA35B85CC4B71EE28E9C9DF79EFF677AB1DDD30C677F1D37B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9C951DF6799D3E39D1AA976B1420E688,SHA256=118916E5C5FF4F1D18148062D44B0E786498C799E3AE66F8C4B708F7DD94135B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4528D20BCCF97C48894B441DB9F424B6,SHA256=0E3608E267747D0E19ABD5BC7B00AA8E05B331007DFF6719FC890330ECF3DB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C944602E191F82C508A5B7A4C3FAC2EA,SHA256=FB123CBC0E0EA8CB7B77AF5E0EC328EB7A4EA6452D5C31CBB6F4BD9F438ED795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1ABD9D1C4BBE908F33D3F78C190FA517,SHA256=504C1E1959470832D0F73C2C2D2FFF155B9CCB0D238A5A91E8CA289B47734E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.271{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6CFA6203F375BBAAACC497F684C72E,SHA256=C6EF05EDBE9178CCFBFD2E644759A22DACAF95C275FD3B32B6D36BFDF05CF852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806599Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:04.694{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E192B1CE3BF6CF02D3AF07B9C1E24E,SHA256=236960611596B32E5CC96310BE963ABB3A3DC2E125B79327B3D7240DDD4EA0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.768{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57196-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001046858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:04.291{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793AC9214010798D082123BA4C4AE0EA,SHA256=D9BC6D717B56D783C7F93793E6D9636D8C1475B9F4BF60294117C7EE02F5C2B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806598Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:02.817{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57862-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806597Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:04.226{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B836257E21137688BD27A984F660CDB6,SHA256=DE2774570DEDF8BB1678F5D94095D5B8C6F7F40EBB5B08F45299C140C51DEA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806596Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:04.226{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D6CB7CC0F8FF4A10F2F14DEA4FB8D59,SHA256=68CD63AF5007E851768DEF794E1A9B428C79C0C29A1D1C6A424D41D2783E997F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806601Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:05.741{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24180F04894F221F0EFA6A8651782C75,SHA256=67EE532C085248BE969BF8A25AE7EF427B9E7B9CE48424B43493C5E97F603CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:05.307{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2731F66762E4AC433EF4190F37E7C165,SHA256=9AB4F335A1F029E91EBF6F7AB8905CF0BD4BCC0DB9A2A3B17189186BC678A536,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806600Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:03.367{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57196-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806603Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:06.757{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E54FD185293546B837E8FAF2B34D34,SHA256=FFA4204C0914EAA3A7A54E1D3C1C1C7B43A12E7F5657D2014228E533A6C6A613,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:58.659{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50949-false10.0.1.12-8000- 23542300x80000000000000001046866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A82C1FF32060A3619A789E723DDCFA,SHA256=9587822555933406A32679E9B9C2381AB317B87D2F46274D403B8720F689EF4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806602Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:05.249{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.190{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.137{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001046863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.137{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001046862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:47:06.137{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.408.46251248C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001046861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:47:06.137{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.408.46251248C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806606Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:07.788{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9802459BBF6ACD780E83469FD6DA4DD,SHA256=687A7B5DDDB849ED2EF37282DBC748CF09F3272EDF2E5428C77169A86CEF4AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166A7083D12B1B310918918227E925F1,SHA256=A691F4FDB3335E886C5ACF945ADF3ACCDEF853DF092F2CD504F67CFC7FE95417,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806605Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:06.377{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-2202-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806604Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:07.538{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B836257E21137688BD27A984F660CDB6,SHA256=DE2774570DEDF8BB1678F5D94095D5B8C6F7F40EBB5B08F45299C140C51DEA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BDDC3F6BD66C30EE5927573F5C70117,SHA256=E68CA0B79A32927F5B7CD576BC7205E1D015333B649430FE06B129AE0E026FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2260DB8B0B4F6B26B1C4B205F7EBA7,SHA256=D71758010BA59709D18FE428F2E223C20567C54493855CEE86F25A3351510622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806607Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:08.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37CD4BF404957FCB66A04BD7A2473D4,SHA256=75E7FCA93DC8CFA8220ED45116BF8BCAE0FFD4ADB20F9DB464213B9BBECB4A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.520{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07C1E9892DDDAF2115E0697F5B9224B,SHA256=3084A2432E1042D67D2529054B0EAB514B045A5396BF554B9C6F78206380C94D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61B5A362EEE39D9FDD7F2483ACA6F49,SHA256=2355CBD9300B4BBDBD4FF1B57493B38812AC2A74D539DA915FDFB0F5C3B292A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806608Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:09.929{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B99A2FD8FDE60C58FF7CC88B45F025,SHA256=637CB51224FDD874248855916AAA630B851252E7014C8B5EE96BAD8A0DE665F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:09.664{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1566DB21CD5B39249FC5F7546A729D,SHA256=FC7D635BCAE5FD53BE7216C77D26BCB213A3D74A522128C14744BA5E9A2387F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806609Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:10.929{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798E7A6227FC066F66C297CB26592AD4,SHA256=9CE08CA258A371C509F36C05D8F6B79BD87130904DCD5B1061094E337F8AE8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:10.681{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F535AD7117B2200B7DDA7ED3B7F200F,SHA256=52728BE1C6A5CB60F632B34AFB39FDD478E320976D3BAC44E689BEE0AA534D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:11.716{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B7BEC64779DAF5394F448C6D22864A,SHA256=AD6EDD8E18B3D7E6622037FDA98146A06E6936C58588ED45E9DA85E57FEF6CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806611Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:11.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209230ACE31B63B292D19855B0E8F061,SHA256=F87BD37C2A1DD66E1B10B2FE23F572432432C9E281F8DA2638E28AA029C5FB57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806610Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:10.296{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:04.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50950-false10.0.1.12-8000- 23542300x80000000000000001046954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:12.731{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DAF694A764391F1D6DED69B88C1325,SHA256=963B4E0557DFBF7DEBF244906B1832A83CBC5E60995FAA49108A8D5F5A51E061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806612Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:12.976{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED0AC3EF48A9429704179658FA547AB,SHA256=64DC3533F2701138E6C38F1D0A6859AE3336F3B16C15B3151DCE35C090E04006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:13.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D01C279BE35E359EB01DAAE2A6D5A2B,SHA256=8D3BF21ED9EA98EF0C402B78E453CD2AC49ABF66215DD8A3E6106108302212F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:14.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A5A8A98E28D6376F02497042288844,SHA256=727A6404F615996608F92F36D0EBD0E71EFE7788CAE3A5001F9D326A7F15B0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806613Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:14.003{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9422EA7388B13A4089F15008A7493AA9,SHA256=DAB62DC16E53ED461D15CB4081046F0CA8F2A286619AEC64ABB86C74811394FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.760{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CE78EDB3138D352982A95F097AE1B6,SHA256=EC342B2CD55B0B062FDF8140B60CA2044E033953890DDDBC5A1F27C9EB10115F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806614Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:15.065{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D2B456C2E7024052A08164A783D77C,SHA256=C902BF6EFC23D9E726CBFEE0AABA4B39EC70B749B624DFD890837C6552BA5D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B014ED0940D12E251C3B2E5AB5ED56,SHA256=BC0C0AE815C90B3E5DDBE7118A4C0C534E23D9DA5017381283B3B45CE2C910CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.380{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BDDC3F6BD66C30EE5927573F5C70117,SHA256=E68CA0B79A32927F5B7CD576BC7205E1D015333B649430FE06B129AE0E026FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:16.777{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB25627026FAAF1DA6F4CD8C83F976A2,SHA256=E29FC647E16F0B523E1F5BB21E8A43560C9F746D54B394DC0C9985F69E9CBD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806615Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:16.097{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6214174F927FCF32EE668243A487ABA5,SHA256=5B0509AEA0C154C74CB62F88B75653A129EA188470C04ABE43D926771EDD2222,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.913{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50951-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001046961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.913{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50951-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001046964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:17.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDDFFD7B902C55B8D562AB08B651F3E,SHA256=738F261F853E356816BC88DBF6FF2E69D2904D970E48A5C7B6686AB8AFA332F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806617Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:16.245{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806616Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:17.144{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F73D4ABAA91317EBA76888BD465AB1,SHA256=FF0F2EAB3A880C07406327F7CAA10F351D269ABA67F199EA0B39EBD3C66C64EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:18.810{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF761FD5FF0867752A700BF07F2FD2DD,SHA256=03C03B762BA9946D110833C723D130731C32824EA222B1A9C071A02FEDA2ABD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806618Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:18.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CEFACA22796327A54B8CC005A13466,SHA256=394C2242DA9C3574ACB65B3AB6DFFD882634F5B0082ECE2064344CCE35A3A9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:18.211{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:09.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50952-false10.0.1.12-8000- 23542300x80000000000000001046968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:19.825{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE41FC3094B9E1819113FD626E996BC5,SHA256=7DE2420F9D68D089AF4E2EA087363A7C7B7F7F5A55B5FD57951D0588CAC2F79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806619Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:19.237{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471179DC80BFC6722885B9F5B6330F96,SHA256=6173FD683872EAA22249FA94724E777F3856B86027C3F0785D502D09C47D0023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.855{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7224F2408E317E34C3870899DFFF530,SHA256=C156FE6CB00E9461E026CE5A894D6632B3FB91C73ED18C1455A2575D6765F45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806621Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:20.378{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806620Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:20.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6BA164BBA629EC773649940FA83568,SHA256=216AEEC8812CF497DC0FAB8BA301A7E2FF498001354C730A5C23EB50D83572B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.224{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.224{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.224{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:21.872{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F66E35D1D3F9430272D4DE2835C5CF,SHA256=35702D8A790D216ED5DC7B92753D45517A03DF0CFA6C887BD4B07913DDF9ADA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806623Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:20.511{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000806622Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:21.269{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A3B0B890B4BA499F9B63AE4543ED7F,SHA256=849B80F3D20A59654A2644B4B94FDFD3D37EF0764CA5F1BA09921D9061379F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:22.890{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FD164EB079DB3ACB0B1EB1DA014F89,SHA256=F4B77B527F311B4C091544873BCF3BB31B60080E33AA322774DCA1E1E9FFDDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:22.506{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=BC5F78334C37347EC1CDF9BB5076AFA8,SHA256=E45C487185123555C47A476BC76CD90222DF7188429F9226623F61D66511D84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806624Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:22.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA41B46129EA67A93F33776676966E8,SHA256=93771E4EAF9A8FC6B68C057A5EA07AF26511C47AE10146AD2C367834E02B7945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:23.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1FB1F07729273C97FB53453FF95C62,SHA256=7E21BF69CCD0856572B6C1B926054A469433A7BE6013E000F7DBCAD8F2B37281,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806626Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:21.370{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806625Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:23.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF17258E527E8F918C58DDE6D0C12E7,SHA256=B6BEAEF197CFD5D4D2B2AB839B298043259E99BB95D2179D6C29451A9CC1BC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:24.920{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15E16B312E83868849C7B56502EB477,SHA256=E2A8A256028C56AECB831D8B18174430B755CCD6ECDA5E31421A8C320BB152AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806654Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806653Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806652Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806651Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806650Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806649Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806648Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806647Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806646Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806645Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806644Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806643Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806642Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.910{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000806641Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.394{0C1E0330-F38C-60EB-5079-00000000D001}4163280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806640Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6A9EF61298A631E24A9F6CC9BE12FF,SHA256=B0E493AD94B52151E657BDA5D83DD1862D54EEE8A4D9FB396E357B5616AA3BB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.643{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50953-false10.0.1.12-8000- 10341000x8000000000000000806639Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806638Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806637Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806636Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806635Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806634Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806633Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806632Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806631Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806630Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806629Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806628Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806627Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.222{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:25.935{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95F4C1CCA7DCE879EF3EA0FFDDE9319,SHA256=4A18040E0336479AF79439CBC487FA3DF3317D3C7CA018FFBFB2F0BF29922B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.784{0C1E0330-F38D-60EB-5279-00000000D001}2688764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.628{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806668Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806667Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806666Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806665Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806664Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806663Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806662Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806661Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806660Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806659Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806658Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.598{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806657Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B9C421365317242B8F54C677C3C8D3,SHA256=4EFCA8179D1152E166FDA6C87E6BC58FBBC3A08CAAAC09863DB0684E32D67B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806656Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.237{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614C44CE2B69CE95EECC79F1571E4C21,SHA256=6FF453CAF1C579F6E5C0D0F03B716D22EF9733193D52F117CBA29431B6B8025D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806655Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.237{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9152998C636D4F6CE5F156BE1EE6AFD0,SHA256=7A88081DB62DFF3F0ADCDC6C60ABC5385D38E1140AF72BDACF7B51D8B61E39A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.969{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98F1F3858319E367303577E6BAAA10F,SHA256=710CE96A3909DCB8360A4E4FA07E11320E704DC33D281C23990032F4754E4A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.972{0C1E0330-F38E-60EB-5479-00000000D001}40483920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.817{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614C44CE2B69CE95EECC79F1571E4C21,SHA256=6FF453CAF1C579F6E5C0D0F03B716D22EF9733193D52F117CBA29431B6B8025D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5298DAA0A6D72EA0DE4643091A077C,SHA256=E15F73B0CB796546A71B89FC0B283617F58142093E995E4E04EE467A2D9DD773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.285{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.519{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.519{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.519{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:27.987{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FBA1EB4BF1F308FD281924D535D6E0,SHA256=F474FDA0AEB6023B96A4E5254894C50224E2A0C314940FC34B998AFF60AAD5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.815{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F1E3AC8F35C2E139BB77252538C303D,SHA256=D179FF0295A2EBDB85651B7B83DEC3F353D72835A6FE9FE1354C6F9D25095153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.612{0C1E0330-F38F-60EB-5579-00000000D001}25642984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.442{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.440{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FAC2D3FFE40B15414FB1703ED5B5B7,SHA256=D8B22EBD165368CD13593596DD438096339763FA667941DA7E9AE2BA7BFC4F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.690{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D0D76B04628D4539434989E6A811FE,SHA256=25CFA8CE3FAEB2F3538CB54029CD23405FB2AF9C650A2F2C3B1DBD848075B50B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.065{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.066{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:29.690{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1164DBB22CE20BCA636F9462FFD04D1F,SHA256=64FD577680A03B24774C17E3D6A85BEDB407D85EFF218FF9772847E926B80FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:29.933{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=70940ACC8AF473C36CCE561AB6B8222C,SHA256=B8BFE97824AD60A72BCC1579FB194FE67E572ED2D8A12B09B3A44DFA0418B5C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.802{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50954-false10.0.1.12-8000- 23542300x80000000000000001046989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:29.002{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668121370F370E8537F8AB6D446AB467,SHA256=CCE792C42149D6EFB12492AF963E8A3A23D74BBB6242D74C34C26DC3B952E0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:29.159{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26412297ABD323C8E5A5EF0C9E0A467F,SHA256=26AEFDC4F88C87DC218FECD61C37E022D901DD0F5BFC81AB4452FE527BCD4DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:30.706{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A260EEDEA1D20E30016C2729C0FBB2,SHA256=A8B41A7A6F5F2F22A754969569C86E0096BEF2F672FD20921CC2D85FD4601438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001047004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001047003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8 10341000x80000000000000001047002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001047000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001046999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.768{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x80000000000000001046996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x80000000000000001046993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e 23542300x80000000000000001046992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.018{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0848F2CA901CC15DAA0714D412093A,SHA256=7586283B71723A0C4C1BCC02842F092D3E8300DA5DB95332473AC22E10C89B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:30.065{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=427D86622804FA503B75EAE58869AE01,SHA256=55B486C5F7AF1C3BC8157F37CFB32C72A6A4B19AB9C4362D7EF0A1EC71A49B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:31.706{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A419902A4AB2FE646D1A9CC702A7F61,SHA256=51056FF7F9142238D1E8A8B1EAB534FC9E154F8C13065566F32F4B84C4B0F633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3B6D4857B0918510BF38191E1DA5A6,SHA256=B5D090600915E75BB8AB7AD61AFC7E684004C1A76D8A6339E9A1A483BE71D559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440BC6521921A76AB6E5BFA504FAE61D,SHA256=1F2C17A2B866B9E349DC44BFBDC80CD857CE1CCE387E78EE31D899B366DF0DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x80000000000000001047048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f 23542300x8000000000000000806737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:32.737{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0F977383E93A42DDA789C65A891803,SHA256=4295B59E5BFB024D4F9A1C78FC577BEB54259F9C2EDC756EDDD1AC032F9416EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:32.147{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B05252222EDD2ED56F111313B1D7AE,SHA256=6641E83CD2B2C31B54DA61215CDD2580E728FFF6F384529AFAEF78E97B017288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:33.769{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CABA2C1F879540CAD846F2F12442D33,SHA256=0441B90FBBFBFDF94C82CB17C7CA1872390CBBBA3C68DFCD1A6FD5CF1C2CDEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:33.148{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB64DFCD6DF2634F014B62AA0EEF09C6,SHA256=DDBC8E5EC2E5C5DE5C6AEBB9602EB2156A47BDCAEA1B430DB08267060B92E82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:34.830{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D388D01E42DC38488206848AC03305C,SHA256=6929DCE688B9A333BE17CC9E47FB8B63A63AECC834B71589CC29CF507D8FB394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:34.149{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7EB30C41A2249C0A9D27FAF609DAB3,SHA256=C49DDB8B028EAE9845431CD9D98DC595DA0691EDC2A1C988EB1076480DAC220B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:32.370{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:35.830{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8813DBDD6777FFDBECF585EF93ACCAF0,SHA256=1D7DE05A726E3B6E2F04AC34B17930427DDCD24643E0AC529348783CC8F0F54A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.553{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50955-false10.0.1.12-8000- 23542300x80000000000000001047058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:35.166{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2788A6E89AB00B291DCDF5F9B590438D,SHA256=3D7B1AAAF3B097EEED4E6B4D079FA46B41FD3FFF777B08B7BEB9A66D56C59CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:36.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2420D88963E522D3630381FE0AB3A0,SHA256=25090FB3CF3E349BE1B920FDF70384857F9A84DA299C9B23C24432FD24EA3DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.447{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A35C08A32BA41E055672F01587E5D50,SHA256=7D380619E50BCAC8784C3ED2F506B3B0C6CB4DF9500360839464B1AD172F1A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.447{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAFDA50ABC01B1302C4DA78A4ED24EE,SHA256=734B2C9F297A630D1E60E453658A71409E0EC8692992744F410CBEF8091F7E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.248{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074729MD5=BB87A22CABB0E1CBFD2B4B30711AA20C,SHA256=FA6EE1E8A154941D13A0F4520798BEDC4C573EFE7A1DA8CF9B2F30182DF2332E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.232{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd1.ps12021-07-12 07:47:36.085 10341000x80000000000000001047138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.185{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.185{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001047084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 10341000x80000000000000001047083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=426FCF24E244603549F387735AB7C1DD,SHA256=30719EDC1D4DDCD1799555569965D8730BE0CEB5C8C9AA004BBD76FC6660DA47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001047071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.117{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnk2021-07-12 07:47:36.117 10341000x80000000000000001047070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.101{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.101{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.101{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca38e|C:\Windows\System32\windows.storage.dll+3c603f|C:\Windows\System32\windows.storage.dll+3c7180|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c78d8|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de|C:\Windows\System32\COMDLG32.dll+21b5d|C:\Windows\System32\USER32.dll+23a42|C:\Windows\System32\USER32.dll+1f839|C:\Windows\System32\USER32.dll+1f7b6 10341000x80000000000000001047062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c78bc|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de 10341000x80000000000000001047061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c78bc|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de|C:\Windows\System32\COMDLG32.dll+21b5d 11241100x80000000000000001047060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd1.ps12021-07-12 07:47:36.085 23542300x8000000000000000806743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:37.893{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FF80F4A8ED25232060CDE63C866C60,SHA256=0EEE00F94E4D5EDD0C938DA9F4597B2F550DC69DD00659A953D7E4D0181DBAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:37.215{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C151CC5D9A77E44321CDEEB198DDC6CE,SHA256=E0BECE4568CFB94F7A3949CF7EB791209A727C2AB4088F6A8AF9D53834EE190D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:38.909{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A50B3F8421C7E8AE07A0B57A087774B,SHA256=B9307C494A2F5C399D59AB30903EB3CE7AC8FB521E94216657D62800C165CEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:38.485{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0207B6AF6851FAACBB9E46896BEE388B,SHA256=1494F3CC3526CFE484CF3AF0A4B3A02350BBE944E6D88A94AC33B8B843E5FDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:38.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24A2B36B5129C08408142B6B2907D0A,SHA256=A6F8CF01180A853E344C6ADE6CC721E03EAB1759FAA7A345E9D9F11423EF9964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:39.924{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6122BCA6D0F75D70352C81FBA170470D,SHA256=DC8785AC3E1455DC95820F969EBA62EF7F1EFCC2449D4FB3FF7528AF478A431E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:39.232{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5EBB584FAE538C2DD52763DDC1B923,SHA256=973B88B562736FC42A2BFE936D67D60F11501FCD55E2C3D47C8A6B26887E1B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:38.275{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:40.971{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D7DD809CE9A7FB583728F0B7C71017,SHA256=0930F61D422D1DF110FC143A9477587A87A0EE55801FA61CEDE81977514FB9CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50956-false10.0.1.12-8000- 23542300x80000000000000001047147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:40.247{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9600357BB104448502D4099B8CCFB4A,SHA256=891FBCD829D698227A607B873FB5B34441010E045C5ECC69AAEAED4E50F2E223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.915{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DC50045B664F1BA7D5BEBB888F4F28B8,SHA256=7A0CBFE3C1637A96916BAEB526C4419F72D00ACE8DE0F328144BA210C777F00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.915{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=157F693F4E51D94DA8A7E379D8E7BDBC,SHA256=4B96C945F6C4F149D9650D7A4EE23A4BAADC5EC6D5219F33F06B9A2D196BC41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7CD9AA6A35158B09D8082990B77C36A7,SHA256=CB559C2A5D68D782376F2315CA032B4250F8E3021AF4F460B4FC3C9A25105837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F74099A4A3866FD6B1CB4D0FEACAB390,SHA256=123E28A64690A3404C0B1E83E90429F9DD255FB512FCD5ADA88D9DA3C551E5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7287B5E5E932885845D92597C1432299,SHA256=E52B32B3B0BC6F6F37583F72AC57E35EA4AF180C6C5CB115254BEDE654B30F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6DA303825C1E51F23AB07EE8C1FC95E9,SHA256=A54F15A7386CBCDCFD4892D18F68F8F7116E127661C9E80F1E6E1128D8549E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2A444EDFE1D68B556C3763CB6F3DDC34,SHA256=92EFBF138B05CC21E53E10A0C08E9B965CAF497FDDBA2C24D6CA3710D13F40BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=288D24AC70965A8B940CF60A278B02DC,SHA256=C54B55EF45A529A35710273102F7FCCF39F70225A299715D7EB67B9B75BC6E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E82B17A7673FB1AFA616725AA247EE64,SHA256=81071026562F60CF544D1525A90DA3D2F0CE24297642147436AE65D2C43945E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7554B237D3E7E8561CAABA8D8100DC3D,SHA256=A52CB31B2A5443511172203244D9BE84173552686CDF8AFCA84EFB3C0E7B78BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E3DD385343381166D169B4B6CDFEE748,SHA256=69269029C52A856C46B9AA981E0B3FD26EB6A7A60BC49509C1960124F6E8A40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7666A9025030A2FB4192A445167E7E55,SHA256=10B5A31CABE011A5CB66C20D840B6F9CCED76B5CFF630249228E4DC52982B6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:42.283{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905AAF0692F54E1ECF8F3A12A22037CE,SHA256=816B710E019CE383369E80AE633CA0BECD788522711DFF1382898CE1D2588128,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000806749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:47:42.473{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f2-0x320f2ee7) 23542300x8000000000000000806748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:42.004{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418CE3FF6A56C26BAC61B5AD5889C108,SHA256=BBB42141F4CABDFAB2B5A201B8DFCDDCD6ADEE5755C293C0150EFB36A8F45589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:43.284{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E310142C159F497BE9175AC741863C,SHA256=2CBF4386A121155640B3677FDDB5057AD82F74610E5892099C653028D78CA14A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:42.605{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000806751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:42.605{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x8000000000000000806750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:43.017{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51C57B0F9DC93F90207B69FC6730FE1,SHA256=7A25DBAE6D4260A309D3EAEC30E06A964DF3C3CA91B94955EF589A7BC16B203C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:44.915{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=87B77072FFB2C90FA5EAF25239CC4493,SHA256=0633CF3F00349F15EDFAE505F6333FE2F96C6B4117FF28F27CAF117B10EC5469,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.005{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-890.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x80000000000000001047163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:44.300{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF684DD9E68F6257406D76590E4E0E1,SHA256=6EEB447589AFB17F598E4A065333A4BB4EC691CE68FD40B6B20F2E4EE45348B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:44.019{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503D1A59F381A7252677923F8A813C19,SHA256=A1B380A1CA73AF7BF5DF4A2F2C24E68AB3769AE62D363F2844B683B13DD5DC43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:37.699{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50957-false10.0.1.12-8000- 23542300x80000000000000001047166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:45.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552CABD9353099089FCD5D012CB152C9,SHA256=C96C4AE954E42BF86086735004C6F4F9CE9E4DDB6549C71469BA8C196FD40468,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:44.261{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:45.019{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93A04BCD86867F9EBC05B4FE4F5B75,SHA256=AD4BB6A12C6DB8596726D7C406EC1E1CFBD30271AD1CA1506C6D74D9AA11EEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:46.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BFEDDCB967CC59D77316A6845B59C8,SHA256=3A4D0F1ABAA47651C8DAD8B430C904A900FAB3E7DE41B92A89E270E8C77E8E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:46.034{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2CBB1FCFABDB09ACEE6B7C2E4D3E29,SHA256=A9E765347864626DA615DFC2266BA9E547353F880618030B30AB27ABB66A6FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:47.346{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18CCCD43FDA92E5F17672E07E7F55B8,SHA256=5B26CA78DDDA0BDA6562C062F62DF41BA3E4B774A12799622C6D78CC59912DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:47.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485BC0A44B3B1A58DE3F3544CD80F8DE,SHA256=D2ED25CE9C229FF2C883C011CA5E65B94EEC9E343E305069D55D68684F686F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:48.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921D8DC94759CA863D16D9C8C1772A12,SHA256=59BFDE0699D3D86F7D8CA0E07FF614DBDF57A6D6D4F697BDA21DAEF512A05F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:48.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FCE9ABB5A4C56C07635DF5345DB638,SHA256=72BD730DDBD95DC6517E03406D78FB2643E7D79B58EF7CA3534BE29F107EB22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:49.382{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D105172BCE1CF875A0DDD38D6953BF,SHA256=74AFCB256C1930B80C41C196BF7310C34DFB2C3124C16F1C7A97FAEA471A3DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:49.191{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E997892560AD22E61ED841ADC13FC1,SHA256=87C6C4FA6909FF71C2F8EC830F396DE56D288729E126C8C062DB7A2A178A3B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.982{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=60AA3CB50947AEEB7EE1898933287EAE,SHA256=7FA1C71AC469F91E91D660B7313A70A73D938EE201A7D96FDD540804CE99914B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.716{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:42.796{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50958-false10.0.1.12-8000- 354300x80000000000000001047184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:42.250{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om56340-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001047183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.414{466BC892-F3A6-60EB-057D-00000000CF01}19402008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148DD137428839E587335EFAF7577994,SHA256=8A89D255A740719988706D1B524DA8DD32CDB1EA5B2E4ADDB534F899CA11D01C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:49.401{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:50.191{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DEF48B1CBEA9847130274313A19A73,SHA256=9E3CCD713ACF68ED4D6878C7661F295177729FA49375D2505D71B71A2CBE5AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88B7A9A6F34AB5ABAE6618600C181EA4,SHA256=74EDC32F77B2A488E6445246D4EC3639EC11F6BF7BB537C267982F39F16C8804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B014ED0940D12E251C3B2E5AB5ED56,SHA256=BC0C0AE815C90B3E5DDBE7118A4C0C534E23D9DA5017381283B3B45CE2C910CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.184{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.728{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88B7A9A6F34AB5ABAE6618600C181EA4,SHA256=74EDC32F77B2A488E6445246D4EC3639EC11F6BF7BB537C267982F39F16C8804,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.597{466BC892-F3A7-60EB-077D-00000000CF01}96688124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.413{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.398{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3270FB3230F6C5E1E1F808976FD74334,SHA256=999291B43BF43EB43AC4C4D5A1A546F9961EC107B8705D54DB012210C15EFDFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:50.494{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse62.80.172.54-56974-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:51.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0118FD03F78E5DB5AE9189E2A48E1DC7,SHA256=B1B7314BEDAD40C2835A37A4B0BE0BDC3F76000CCD66CA3850B379D058967F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.761{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.412{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3727CAF1BE768B799778AA719B0ED0F2,SHA256=FB66C54E8AE9F39B49D3264D44FE72A65B42D86B06AE1F6199A1C8A2C4A0C35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:52.659{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3587ADE22FA55F9C7B033593FF2E72,SHA256=EF450D869872E4B738411B1A8B7EE1F4F2AAF509984AE6168D52BE0E22C60CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:52.659{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=357FDD3B4763C03C1849EA6F2E953C28,SHA256=EEB9D79DEED58F23C85FCC151DE94A03EB50F62DCEE358D64643E92740CE579B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:52.222{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A4BD72AB1EDE547A5E0C6D5C8CA0D3,SHA256=E1F62DE68BE2C488E189519DE2C87C9C3851966895878F00FE46192087B400E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.297{466BC892-F3A8-60EB-087D-00000000CF01}101448252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.082{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.083{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001047234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.680{466BC892-F3A9-60EB-0A7D-00000000CF01}88046488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.444{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.428{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8884BB4861ACEEDEC32C24D9FD4B9D8,SHA256=452ECA0ABE16776733A3AC0D41443753E5EC36680865E508CDC0B58AEF15D19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:53.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55562CCC3D4E56017E2E2A48E537F237,SHA256=C7005E00A853A2C8952B441E00B7F11785D020F637565EFCC1B6173AB3BE2991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.097{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F930C7805F529F26B3C22A7ED6DC677,SHA256=771EBADE831C6E0D26DDA0FA0866E7D26C001DD7D18974A3BCF88F9E9A661EB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:46.659{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-50097-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001047244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.429{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF00ED5D9C0E7421CC9E693860FFC53,SHA256=EC48BC676177FCE7A128A00AE250348DEC749F2E8796D3BF10F1569F7FBCDFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:54.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C1729BC593C1D23CD3B11D3607B532,SHA256=9626E2EC2D02D4E8BCA447DB50773E2ACC44B67603FF3F2C4C8C05ED756704D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.382{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC9C5D281074D7CECDFFC7476769EEDE,SHA256=F0BFA9FC8B3A661644B04BB42A61B0E8E94E1BBDF8E5B451174B52AA3F60B858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.143{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.128{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:55.442{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E14315ED6CAE27553C5CAC919398F35,SHA256=6A1364343805C2BC9F47E00406E5386A8596D7DFC1830A5765C3D3F7FE06C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:55.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702B55380026247A6541A101DD323EB4,SHA256=4F187064CDD1AF02891441958BF5D88A5DCF1C8467DDA617EF7470367D3006BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:56.842{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:48.732{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50959-false10.0.1.12-8000- 23542300x80000000000000001047247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:56.460{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C1FFBDF73521CCC9480642E3DD81CF,SHA256=555C3276E6ED49A0E127D00C3BA0951505A9B94B734340FD1C9D36E19A0912A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:56.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F422D177E7C093DC8CD422A97CAF5,SHA256=2EE41D615C975A321CBCE60E283AA60DBB6FC597D1FE6F5E59B4423700A84F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:57.994{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\sd1.ps1@2021-07-12_074750MD5=9C23E0F56B84EE9709000172EC5E6F3F,SHA256=CE019FECC2D05EB84CD552E654AD6C83D6E142EEC43A7B5CC27BCFDA8DC8CA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:57.479{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0B8763740CF39A5A0CB95479D03E65,SHA256=240EBE0E67DDB0587DF58636655C4975F29F9359101E22E149FFCDCC2F212BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:57.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BBDCDC77430C1C09EAC87CD45F8B9D,SHA256=6A2E2BD90FCE7BE2035497BB2BC3EB973BC6FFAE052F15DDB0E0841A857CBA5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:55.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.378{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50960-false10.0.1.12-8089- 23542300x80000000000000001047253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:58.493{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DA28F84768BF0E580DADE364202B02,SHA256=5262691E7134C7CB3B3EAB6493B2DC2DAE293A26A4F9D7829E4545F1B663A638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:58.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3916BD0BFC9B9843E50473255CA363EB,SHA256=FDC8C4CBC90D9493443D85CFB75EAAF9495A1DE0DB14DE955CA3BAD2CDAAC0E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:47:58.225{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\virus - Copy.exe2021-07-12 07:47:58.225 23542300x80000000000000001047255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:59.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D6E7020D2D790FD19829176E7A5664,SHA256=ACE3EB042AB77FA66FD65D1C0E9AD1AD5363A5BD6B3F1B5AE1FC0A90FD4A25D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:59.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B2F595C8C032773E373221FAD3D5CA,SHA256=537EC611A666881A7A7CF262B6E5A0F77F05DAB0C884D24568BA814888B499EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:00.522{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9E9B77AC432598B695A5FB55C77E3A,SHA256=1A21B270FF648B607D9B4CA0DFEF5C8903A76865B547DA23DAFAD423B7058431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:00.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5BEBCCC413CBADED8970EE7827E0A6,SHA256=C77BC474E7F4374AA0AF537BF8CE548D92A94103D4065D8373EE049F1E435490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:01.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43066DDC41577799FBBACE42BD2EBD8,SHA256=5B12B157EAC7CB38F9443AA59A84B580A0BC201EF24C9A41CF3BE145CCAE388E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:01.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE630666EC5791902E29E6A70B40CA7,SHA256=EBBC2156276416D3B6E73DFC449AABF86A90BD9F07849EE1DD0EC1DE438BD4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:02.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB46FFCEB6D76D0543E04377BF15AB3,SHA256=C2C1405B315C2C9E6BB63EABFC199573C9AE3EB197CB9B1CCB4453481987123E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:02.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593B07DA7ED1C3F01756AF13C101BD1A,SHA256=2F4D6E3E94057690D9D42D2E59033C24A5CB8D12B6E1D5A5A03730309A93F140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:03.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E550CB0BA122413BF9A037B4C6447B,SHA256=962401C0175F317E7ADD84D318F5FAE1CCD657E3E25AA332B75E3EF913578D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:55.474{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse62.80.172.54-51147-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001047267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.555{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E08AA6E3918F1E9A68E65EAD02895,SHA256=33A380C1508F43B717145E143225ACAA2B8C40EADAC27FBA23C604C24C6E5700,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:01.279{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.728{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50961-false10.0.1.12-8000- 23542300x80000000000000001047271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:04.572{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197A9AB4F9BDC197CB912F319BDCA544,SHA256=D83C71250D3E8E6CECBDC2177639F9161438A566A761F5DD03AB13508E91603B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:04.428{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF11493BA679DF426062013F8595C1E,SHA256=E4252011A06FE9EEA1BB8C6A6AFFBC19971226E09B0C111406DB41EEB815AE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:04.457{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C8AE7ED812851052778A1AFE15E838,SHA256=799F0025284F0048C041692A1F13DE94ED40841D84399DD76670D79396A8275B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:04.456{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEF87BD0F755745293DA7AD8FECF87C,SHA256=9C5516111B39DC8070EBEE9EC7568D95E462B1C7EC19D40B4438359DF3FE0C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:05.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FCF41B13CF78CE28BA0C9173D4C523,SHA256=00F1C91694E964AA799913524F77D0ED7B1E72ADF4A21635A8687405E6A700FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:05.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C58A5910CDA68D038E2A9F824FC915,SHA256=5F96BF0F5DCB159D08A67CCDCBA7597861C5A0ABA546D4457B47B9AAA4144253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.709{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6423D47DA0DD9DEAD78CCF4BD5BF2B7,SHA256=916354ED5C160319356B1DF2EFD639E6CE8D026AFDD3DF0E64173B0B56CE3CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.709{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3587ADE22FA55F9C7B033593FF2E72,SHA256=EF450D869872E4B738411B1A8B7EE1F4F2AAF509984AE6168D52BE0E22C60CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.475{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D04774DD364E96A734DB528B7D35E0,SHA256=3E83A0FA7DA420D1F280B7D12877006DE00042FD167EAEF76DE7BA815C47DA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB54404EC7F1D6A7C6BE0731AB731B7,SHA256=1FD9D9945A4C88E8341824F956918178E7EFD15DAF23B73FCF386559ABC5DB01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.202{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.133{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001047275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.133{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001047274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:48:06.133{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.3924.430.168737781C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001047273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:48:06.133{466BC892-53D9-60E8-E60F-00000000CF01}3924\chrome.3924.430.168737781C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:07.506{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F60102028FCEB62B873674FF9CC164C,SHA256=0E4EA710B67FC477687EF61D250B0DCCC5E81D3001815557EF06D8180F263E31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:59.753{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50962-false10.0.1.12-8000- 354300x80000000000000001047280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:59.244{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57209-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001047279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:07.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C71C67B285AE52A32FE503C3A6B4852,SHA256=25587E3AE94C85ACA6FBA314BE3B2589AD0B9F58CA86485F819E4C161F82ACA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:05.549{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-10074-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001047282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:08.616{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357A5B22C9265F6A835C54E34A6ACC69,SHA256=ED2F4EA5D0B70C644CA63972C1A4619F9BFF6170BA54782E572887E4AB311A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:08.522{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D5DBBA7B57D475055E7D25CA73FFDD,SHA256=CEBB62D27BD20D4C824EC5E8AEB6BC72E5E7D545E12D15FEF71756AEA292DF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:05.845{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57209-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x80000000000000001047283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:09.631{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378EFA370F67656C080F845FC31A9330,SHA256=7719259F8EA1EEB12864122DFAF1BAF01E80C9C29862FED4EF45C8B6A8EED541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:09.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E852ACE3D077D90036A6354C0B1392E1,SHA256=A5CF5F8C9981B384939DF0BCB32F0A079E5794E35435C286AC6546FA25F98173,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:07.186{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:10.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762E679C2961DC33449EE8F038E10537,SHA256=DEEFA6BB301219A7C21F62CBE06BCAF9F4C56BB4CC5B4EC05BA5903E1A4A4CFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:10.968{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.bat2021-07-12 07:48:10.968 23542300x80000000000000001047284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:10.648{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D59565B27F726882981AB08A33FC04,SHA256=4EC02FFB30AA41C8A00017AB1E83DE42517EF61DB5189599B931E1E57FD93138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:11.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6D40C2AD26A75EFCC688EFEFA858C7,SHA256=C6914B7704D4BF97F1410655623A3EFD82FC957FFFAD7522A1E60E6AAB6A37CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:11.667{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8524F21E34A1D83E7DEC15DB6CE6D87,SHA256=57B283EDBB253327B91D39569D37A7482340D75C1E0BC94FB10F37760CA6FBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:12.682{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742838FAE294EBE49EDDACE13820E9E1,SHA256=F57C9C326CCD856E9A03E06F8102209B1855895D667E77E323311CC41C7DA75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:12.600{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F627D46AA8922EE4A250A0779BA8D0DC,SHA256=AFB94ADC5FDDA9DE4C1FBCF7315B87440CB3606D77268BD1EE0896CB69F4760B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:13.616{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29978AB9D281AEBFD808C0BC54B54FDB,SHA256=F318AE4C03378263210AC87C5F691DD518B16AA97FE343B80E93DC0524A4C764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:13.697{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309EECA8ED7717A5061ECA99AEBDBB78,SHA256=C966C387785762C0E1B9405BB1933C53173B64C866467BCA9D3CA020628B62AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:14.629{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F169DD8A4B92C1FE19C3599338254021,SHA256=549A4133BBBC39E8F32B09B83F4606D1A48A5CC889118C335889A343B8BF730C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:14.745{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C0B0282C82515691F80B46109CC970,SHA256=AF96AC5C235BF6E22492FB8DDD9EB503FACDE65E9708713F97BADA610A438150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:12.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.970{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local55715- 354300x80000000000000001047328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.969{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63782- 354300x80000000000000001047327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.968{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55054- 354300x80000000000000001047326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.967{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local61136- 354300x80000000000000001047325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.965{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61718- 354300x80000000000000001047324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.964{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63948- 354300x80000000000000001047323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.963{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local56018- 354300x80000000000000001047322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.963{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local56031- 354300x80000000000000001047321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.961{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58627- 354300x80000000000000001047320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.960{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63965- 354300x80000000000000001047319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.959{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local59564- 354300x80000000000000001047318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.957{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local59824- 354300x80000000000000001047317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.956{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local54709- 354300x80000000000000001047316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.955{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64188- 354300x80000000000000001047315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.954{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local53687- 354300x80000000000000001047314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.953{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58849- 354300x80000000000000001047313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.952{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local65455- 354300x80000000000000001047312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.950{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61152- 354300x80000000000000001047311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.949{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local60493- 354300x80000000000000001047310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.947{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local54078- 354300x80000000000000001047309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53744- 354300x80000000000000001047308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62085- 354300x80000000000000001047307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.937{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53775- 354300x80000000000000001047306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.936{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58883- 354300x80000000000000001047305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.936{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55404- 354300x80000000000000001047304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.934{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local53248- 354300x80000000000000001047303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.934{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55794- 354300x80000000000000001047302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.933{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local57718- 354300x80000000000000001047301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.932{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local60908- 354300x80000000000000001047300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.929{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local62674- 354300x80000000000000001047299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.929{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-890.attackrange.local62674-false10.0.1.14win-dc-890.attackrange.local53domain 354300x80000000000000001047298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.928{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62260- 354300x80000000000000001047297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.928{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62260-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domain 354300x80000000000000001047296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.919{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50965-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001047295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.919{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50965-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001047294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.918{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50964-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001047293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.918{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50964-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001047292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:14.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF9E7083283591250BABF71865EFFAF,SHA256=1348CB8A97087BB70CD45899F17E3E4CC98BAE3EF867EA8150210A87444FBDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:14.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C8AE7ED812851052778A1AFE15E838,SHA256=799F0025284F0048C041692A1F13DE94ED40841D84399DD76670D79396A8275B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:05.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50963-false10.0.1.12-8000- 11241100x80000000000000001047289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:48:14.097{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\virus - Copy.exe2021-07-12 07:47:58.225 23542300x80000000000000001047341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:15.765{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F103ABF9EA1607008FE93143F2EED69A,SHA256=0E7A7660C066DF19721ED5291FB495DCCA0219BF9C99E6AF22ACFA3BE9F61D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:15.660{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403F82C24AC86440BCABE0A480CE0221,SHA256=0EC76271AA39F92FF42FA44C876720649DC4A14D810FBE41FD817684E3AA1928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.980{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local61885- 354300x80000000000000001047339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.979{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58829- 354300x80000000000000001047338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.978{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local54530- 354300x80000000000000001047337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.977{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58800- 354300x80000000000000001047336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.976{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63057- 354300x80000000000000001047335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.976{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53579- 354300x80000000000000001047334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.975{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58889- 354300x80000000000000001047333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.974{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local63131- 354300x80000000000000001047332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.973{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local61760- 354300x80000000000000001047331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.973{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55331- 23542300x8000000000000000806801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:16.692{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1AFE15EE1FB73B9965DEBCB266329F,SHA256=46E257099543434577653AC57F5B30EB3BA1755C8767F8D5B231C6DFB0CEDBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:16.779{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896C0499E677958B5CCCDEB29839A9F,SHA256=75E1ACE6C89CB250901DA9ECD63BC3FF1FCA3D9456126B5FF77A3AA7507E6571,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:07.918{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50966-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001047342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:07.917{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50966-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001047345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:17.794{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C6DBC7519F20A244DAE18CD56F2408,SHA256=565D97CFB98A3D6EC9892E5FE6E91738A3484107D3BF09134F73AAAC5E673871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:17.723{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5787C23B7E01100CC28719DE1712EFBD,SHA256=13DF838F048BE5A17C484E1F9F1AF74DA8C15975E8D50063258AEE35FBE55DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:18.770{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724866EB3284D82EF748056A8ED27309,SHA256=40C753316EAF2D5B064A0D0452C1DE3C6E9D5908D95EFD14932C43532D0855BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:18.808{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECFA080905A158CCBC81EFC7114F0A1,SHA256=9EF3A9F0DA0E6271C57997796A5B09133AA2664ACE23E3E8E8348CDFC25B12A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:18.225{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:17.309{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:19.770{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EA1683B02C2947AA2BDADAD12D27FB,SHA256=FA5BABC3B345E40BE49933015D4CD12B16F6489D8C4589AA95D43DA08AC61E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA04630820D9876395D471EC67C078,SHA256=F59687CEBE86F3D01973BF86879D7057A9AC51F4C850FB450D23D6726B781908,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:10.793{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50967-false10.0.1.12-8000- 10341000x80000000000000001047354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.124{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.124{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.124{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:20.801{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019C2759F309C7889D8350A8E4DA618B,SHA256=1E318FD1585A4AF34A344352B90778B5D378618CD42296838398557E39A1D244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:20.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87410BF8276CBE5100955B1DBACC0E04,SHA256=BB85B74C2A83DC1B919D3952D29689B4F29F3E90840F15AABED136790BD20675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:20.395{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:21.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B3097C93B951DFC516D134AC44F31A,SHA256=722396C50DF61377DF06A618FF40F01A3BD943CC91D042918D63B1E7F4FAAE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:21.848{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9716349857DE28B92F7977A76464F35B,SHA256=5C6E9491037C0937953F53359B0286A1BAB4C90CCBBAE0EC99FCC4A9F33F4988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:22.874{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9F08B6D0F0AD4C3B9FFF240846744F,SHA256=336C6747043C909CEADAA45764FD5EAB4E357DA248D271F7CA3FD11A8E626998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:22.864{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD9F9196AFC35659193DF3CB8A31926,SHA256=969046DE2C79AE1C0D30655043D69959020A56BAE17130D7E84AD8E0FD7C0FCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:20.527{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000806812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:23.910{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CFA3BC15E8CDB8E7BFF8613C158FC,SHA256=08134B9CAF28EB8620479A1D4E56F071953B23ACC09F8735525847CD0A7C1D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:23.889{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7723D08F9FA944D2B164FF6447D9B7C2,SHA256=8B36C7F7FC6E133C4988B3DE0BB8817D91DF2F3E24D16C65104F0E6BD5BB0CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:22.355{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08321C6760320410A9E93A89752FE2F6,SHA256=E131187ADA0A027E4AEAD51E9D1D5027E46C91CE6E18995DAF0E561662C66DE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.911{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:24.904{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD479EAD2C08A9BD1D04CEB8714EF0F3,SHA256=EBC42ABF7A372B097DE734537A196C7504B4A6B4BA65015ACC01AA4D2B8D6D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.426{0C1E0330-F3C8-60EB-5779-00000000D001}3523512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.254{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.239{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:25.937{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A25811EA5D943F5F6C332E7A4772AC,SHA256=99143DB4293EF959447DA7E6133F96C561247FD33C1B76ED6FF1FF532759E609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.754{0C1E0330-F3C9-60EB-5979-00000000D001}15488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000806856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.002{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-28122-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x8000000000000000806855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.598{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA6F08FCA467E7DF2FBE19F428623EF9,SHA256=98E9725350076A0E7897024DDAA6F9A3AB2B4D10A076655352BB27218242CA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6423D47DA0DD9DEAD78CCF4BD5BF2B7,SHA256=916354ED5C160319356B1DF2EFD639E6CE8D026AFDD3DF0E64173B0B56CE3CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:16.787{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50968-false10.0.1.12-8000- 23542300x80000000000000001047369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.955{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D4DFE4A0A62860FFA97E2D1E551196,SHA256=E450E3F967D1CA36A2405A4AEF59C024D7172D3DBD77955042664129DD55F3F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.973{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.973{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.598{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA6F08FCA467E7DF2FBE19F428623EF9,SHA256=98E9725350076A0E7897024DDAA6F9A3AB2B4D10A076655352BB27218242CA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.489{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BD6C3FD477B33222C0D0E902A6764C,SHA256=C6E99615B759F1F4FF81F0B6801DCFA24B554CD4A84668F6143E62AEDED9D3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.285{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.286{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2433A24315A2832E989A303883D45F6,SHA256=69C87F84752497B52D6BE7F9249FE99695D4753907B7054B4BC091F35487486C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF9E7083283591250BABF71865EFFAF,SHA256=1348CB8A97087BB70CD45899F17E3E4CC98BAE3EF867EA8150210A87444FBDBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:18.382{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57215-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001047365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:17.791{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net59120-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001047364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.036{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074744MD5=BB87A22CABB0E1CBFD2B4B30711AA20C,SHA256=FA6EE1E8A154941D13A0F4520798BEDC4C573EFE7A1DA8CF9B2F30182DF2332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:27.956{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0439D4DEA899D4E67DEDC25566EC32C,SHA256=3758D5E2D5B4E292B87D5085B81A895559B380CE7893077B2ECAC3F7A1339B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.754{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC52F194919D7FB15E3AC1DA179006,SHA256=7449DEBF502309F1CB57CF61D47E89845981C025BFC42B958D86C9F75F46BD40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.984{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57215-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 10341000x8000000000000000806899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.660{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.660{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.661{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000806886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.145{0C1E0330-F3CA-60EB-5B79-00000000D001}19401772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.738{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F530D11E441C4D8C8CFE423560061CD,SHA256=02EC65BAC550825FFE24A8A6B2F5CB311F5413E743CF1D48E646256528DFB471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 23542300x80000000000000001047379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A04F2F29982E94B5EE676ECFC87DD7D,SHA256=C26FF63B67F753CCEF62639F73FD50B7142895CB1B369DA6639BB5D34B51CDC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001047377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001047376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001047375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x80000000000000001047374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x80000000000000001047371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e 10341000x8000000000000000806916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.504{0C1E0330-F3CC-60EB-5D79-00000000D001}25603380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.349{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.082{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259BC8DB5F033D4ECA4C34BED630EA61,SHA256=43B21024A9843B5E89FC826C5F16881F1D3D0C45642D37E9680C3A732BACFE7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.277{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:29.738{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784910FD995797B3919CDDC767365068,SHA256=B0DA6E80AA168D28128B311F7C9ADF9A6CE0816382764E15ABE4869FB64FF3AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x80000000000000001047433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f 23542300x80000000000000001047432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.271{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7849814C227CBE92595CBB5907D2AA83,SHA256=ACA831EA5E06DB7FC755DDE21F82351F10137E95599610AC6AAD74357B3D7D9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 23542300x8000000000000000806918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:29.363{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6D26D7A3BA5B4D09A3A9CAC9A220705,SHA256=D0327D79C92F305DC0DFA918AF96245A61AA3F7484833E305A17CF6332056B54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}